Insights

Waiting for a better threat to come along

Ade Taylor, Head of Security Services

I typically buy a new phone on every other model launch, largely because the advances in technology and capability are much more significant and obvious to the user (i.e. me) when I skip a generation.

In fact, after 30 years working in IT, I will not buy the first generation of any brand-new technology; I hate paying full retail prices to act as an unpaid beta tester, so I prefer to watch (and comment) from the sidelines as teething troubles are ironed out until I’m confident enough in the stability of a product to buy.

It’s cheaper, less stressful and means I know I can rely on the kit I have purchased.

I’m far from alone with this approach, but there is a cost; I never own the latest hardware and, aside from those critical security patches, I’m also usually one major OS release behind as well: because of this, I don’t enjoy the latest user experience or benefits.

In a domestic situation, that’s fine – a compromise for which I can own the responsibility - but it’s an approach I often see in a corporate environment too. Until recently it was common for corporate buyers to expect a minimum 5-year replacement cycle when upgrading, for example, network technology and it’s not infrequently that I see RFPs with a target lifespan of 7 years before the next refresh.

I realise that in some areas this is fine, and actually hard to change – if you have a giant switched network it’s not going to be possible to replace many thousands of appliances scattered around the world every other year.

In cyber security though, it’s a real problem.

There are two thought processes at work here: “sweating the asset” and, secondly, we’re waiting for the Next Big Thing. When budgets are tight, neither is a surprise, but in the world of cyber security this has the potential to be a real risk to your organisation.

An example. I’ve spoken to more than one customer or prospect in the last few months who is delaying the selection of new security appliances because they have decided that AI enablement is a key buying factor.

Ok, I get that thinking, but the embedded AI market is fractured, fast moving and confusing and shows no signs of being resolved while every vendor has the same “our new AI chipset / OS is in beta, it’ll just be a while longer” story.

And while we wait for defensive AI to be “gold build” and reliable, we could be years behind offensive AI.

Time to address the elephant in the room – the big “R”.

Risk management is, of course, the single most important factor when making cyber security buying decisions. Managing and (hopefully) reducing the risk of a breach or other malicious activity is the central point of the whole industry – it’s why the industry exists.

I’m not advocating that we all throw our risk models and hard-won assessment criteria to the wind but I am suggesting we need to review those risk models in the context of the increased pace of change.

Cyber security developments in both offence and defence have always been faster moving than any other aspect of corporate IT and my view is that AI is beginning to turbo-charge that pace of change to the point where we simply won’t be able to retain security kit for even a 2-year refresh cycle and remain protected.

So, what should we do?

In short, our risk appetites need to expand.

It could well elevate our exposure to risk to wait for the most stable, “installed everywhere” security solutions at the cost of benefiting from new technology. So we should consider getting onboard with emergent vendors earlier, and adopting “leading edge” technology that we would never have accepted even a year ago.

That’s not to say that decisions shouldn’t still be well informed.

The key to making the best decision is, in my view, two-fold. Firstly, buy interoperability; make sure 1) your technology is extensible via plugin development and 2) supports common methods for customisation, such as Python and you have at least covered software obsolescence for as long as the hardware works.

Secondly, buy visibility. The days of the black-box solution are long gone. Modern cyber security is wholly dependent on data sharing. Don’t worry about the format of the log data your box or service provides – the next-gen SIEM platforms will look after that – just make sure you can extract activity data from whatever you buy so that, crucially, you can correlate it with everything else on your network.

The point is this: the threat landscape is changing daily; using AI to collect, analyse and correlating your data from as many places as you can to discover threat by association or implication not only mitigates the risk of deploying a slightly newer technology, it is the only way to keep up.

Content Hub