Confucius once said, “Life is really simple, but we insist on making it complicated.” For those of us in cybersecurity professions, we can easily relate to this philosophy. Cybersecurity has become exceedingly complicated in recent years, and the complexity might now be our biggest vulnerability.
IT is evolving rapidly, but IT security is often left playing catch up in order to adapt to the changes in how businesses approach and deploy computing, applications, networks, databases, and devices. Many organizations rely on best practices such as defense in depth, secure development lifecycle, penetration testing, separation of duties, etc. However, these tactics do not allow cybersecurity to move at business speed, and they contribute to the lag in IT security.
When a company adopts a brand new IT tool, feature, or capability for the purpose of speeding productivity or saving money, security teams are tasked with securing the new item immediately. But how can they be expected to do this when the available technologies are not yet equipped to specifically address the new security need? Many turn to piecemeal solutions that require the layering of security technologies, which are often layered over even more outdated security solutions. On the surface, this approach sounds crazy, yet this is the reality cybersecurity teams face everyday.
Let’s look at network security practices, for example. In recent years, organizations have helplessly watched the network perimeter – a key component in securing an organization from threats – dissolve.
Organizations now rely on mobile workforces, multiple physical locations, and the Cloud for mission critical business operations. Yet many organizations continue to rely on traditional network security practice like firewalls, appliances, and various point solutions. Each layer, device, and solution then requires its own policy, continuing to bog down already overwhelmed security teams. In the end, this creates complexity that leaves organizations more vulnerable than they’d like to think. The more security layers there are, the more opportunities a hacker has to find a weakness. This complexity and inefficiency is particularly risky considering that cyber attacks are at an all time high.
So what’s stopping organizations from scraping away the layers and addressing the core issues? Possible, a fear of simplicity. As Confucius identified, we humans are inherently complex. In the case of network security, we also have an unhealthy dependency on hardware and appliances, as many go by the ‘wait and see’ approach in regards to cloud adoption. In order to make progress, we need to come out of our comfort zones, accept that the network perimeter is gone, and admit that a layered security strategy is flawed. Think simple, and make changes that bring back cybersecurity back to the basics:
● Strive to reduce workload on critical IT resources
● Reduce policies and configurations that need to be maintained in order to reduce attack surface
● Adopt faster, automated adaptability to seamlessly keep up with new threats
Thinking simpler about cybersecurity is not that hard. The same dynamics that created today’s cybersecurity challenges, like the Cloud, virtualization, and software can now be used to conquer complexity, if used correctly. Let go of complexity and achieve cybersecurity enlightenment - Confucius would be proud of you (and you might even sleep better at night).
About the Author:
Ofir Agasi is Director of Product Marketing at Cato Networks with over 12 years of network security expertise in systems engineering, product management, and research and development. Prior to Cato Networks, Ofir was a product manager at Check Point Software Technologies, where he led mobile security, cloud security, remote access and data protection product lines. Ofir holds a B.Sc. degree in Communication Systems Engineering.