With October ushering in Cybersecurity Awareness Month, agencies and industry must remember that the challenges they face are among the most common for organizational and personal security.
The separation between work-life and personal-life are increasingly less distinct, and with more digital natives in the workforce than ever before, cybersecurity is emerging as a fully shared responsibility. This means there are important roles and obligations for everyone, not just the cyber team.
With so much at stake, organizations can’t afford to assume that someone else is handling cyber defense. Instead, they need to remember they are only as secure as their weakest link.
Dan Fallon, the director of engineering for Nutanix, said this idea of shared responsibility becomes even more important as agencies move more applications and data to the cloud especially a hybrid cloud.
“We are looking at what they are doing around data security and data encryption, and what are they doing to automate what clouds they are looking at,” Fallon said on the IT Innovation Insider, sponsored by Nutanix. “We are focusing on the basics there. What are their compliance standards? There are a lot of different standards that are ever-changing. We are showing them how we can check the box with a product that takes security that is more of a built-in than bolted-on approach.”
David Reber, the director of cybersecurity for Nutanix Frame, said because agencies will be operating in a private data center and public cloud for the foreseeable future, they need to have automated security checks and a way to provide visibility to make rapid response decisions when there is a problem.
“How can you get an enterprise cloud view across both ecosystems in a unified manner tends to be one of the biggest challenges for end users,” he said. “How do we automate security checks while the developers are rolling code or capabilities out to the workforce? This way you get real time feedback.”
Reber said the dev/sec/ops model lets agencies balance security and compliance with agility and speed.
The sharing of responsibility means agencies and vendors alike have to start with a consistent baseline that includes a predictable infrastructure. Then the automated rules can kick in to alert chief information officers or chief information security officers if a device or application has fallen out of compliance.
As work and personal lives continue to merge, Reber said the need to have a shared responsibility perspective becomes even greater. He said email remains the biggest attack vector for bad actors and most employees don’t do enough to protect themselves in their personal lives.
Reber said agencies need to understand where the line in the sand is drawn between cloud or on-premise vendor security and a department’s responsibility to protect their data and systems.
“The real truth is can your vendor outline specifically what they do for you, here is how they help and here is where you take control and ownership. You need to define that and make sure you educate your users in that personal responsibility area as well,” he said. “If you are using bring your own devices and stuff like that, you need to make sure there is good education for everybody, specifically at the top of your organization. They tend to be the busiest. They tend not to take the training or, if they do, it tends to be ad hoc. But they are targeted the most. Their names are a Google search away from being targeted. They and their families are at risk.”
Reber said executives have to realize that cybersecurity is a constant effort around training, people, process and technology, and it starts with them.
Fallon added as agencies continue to shift their security model toward continuous monitoring and automation of security standards will further get human errors out of the discussion about how to deal with known and unknown vulnerabilities.