CIS Podcast: Cybersecurity Where You Are Ep. 16
Cybersecurity – Think INSIDE The Box
In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes back Kathleen Moriarty, Chief Technology Officer for CIS. Together they discuss the role service providers play in the future of cybersecurity.
The Problem with Out-of-the-Box Technology
Technological products today often favor performance and features over security. When a new product reaches the market, it is not secure out of the box. Its current configuration continuously needs updating due to vulnerabilities. This solution, while a universally accepted practice, is not optimal.
The process of pulling in and aggregating the data and then manually incorporating solutions into the infrastructure is both costly and time consuming. It also means that companies are remediating however they see fit. There are no common threads between how one company solves a problem compared to the rest. This inconsistency can lead to even more vulnerabilities.
The Problem with Patches
Patches are appropriately named – they cover something up to allow something to continue to work. In order forto them to be effective, they have to be identified and implemented almost immediately.. Hackers take advantage of the downtime that exists from the time the vulnerability is found to a patch being created, communicated, and implemented.
A Built-in Solution for Cybersecurity
The current temperament around technology is that system flaws “come with the territory” and cannot be avoided. Patches are created and then deployed in the hopes of fixing the issue. However, at times, what is done in one area of an application may aeffect another. This can cause the system to not work correctly or even crash.
The ideal solution would be to move away from add-on products and offer software with built-in security. DevSecOps— – short for development, security, and operations— – automates the integration of security. Writing code in modules from the beginning will patch more easily and without impacting other code. An unrelated app won’t crash because there was a change in another module.
Service Providers and Vendors to the Rescue
Many may think that only large companies are at risk. This is a misconception. Schools, hospitals, local governments, and small businesses are all targets as they possess personal data and intellectual property that's appealing to hackers. What they do not have are tools and resources to protect themselves. Product and service providers can offer built-in cybersecurity technology that is both cost- effective and automated.
If the future brings more built-in cybersecurity to applications, service providers and vendors will have to trust that the solutions they are selling/recommending areis configured correctly. Kathleen gives an example of the CIS Benchmarks, where no-cost, consensus-based configuration guidelines have been created for more than 20+ years. If a company were to purchase software built using these Benchmarks, their policy settings and measurements will have required configurations and be verified with no expertise required on site.
Looking to the future, a more built-in, automated, and uniform system for cybersecurity is key to protection for all.
- About Kathleen Moriarty
- CIS Benchmarks
- CIS Critical Security Controls
- Tools for Vendors and Consultants