“It’s time to change the way we think about cybersecurity.” That was the message I heard repeatedly in conversations and at keynote addresses at the OpenText Enfuse 2018 conference I attended in May.
“Security isn’t just around malware anymore,” said Lalith Subramanian, VP of Engineering for Analytics, Security and Discovery with OpenText. “It’s about data leakage.”
The amount of data companies use and store has become so large and cumbersome that it is more difficult to correlate and control. Organizations are too often careless in their behavior surrounding data. This leads to data seeping out of the company in different ways. Malware is still a threat, yes, but now information is siphoned through compromised privileged access (the hacker or insider has legitimate access to the data through authentication methods, but is accessing it without authorization) or through intellectual property theft or by improper sharing of data.
When cybersecurity was first introduced, a lot of attention was put on protecting the perimeter with firewalls and antivirus software. Now security focuses on protecting the individual device. That’s absolutely necessary, said Anthony Di Bello, senior director, Market Development at OpenText, but we must apply controls that are closer to the data. The emphasis of security has to be on the data, not the device because of the changing way files are compromised.
One-Size-Fits-All Model Not Working
Yet, the focus of most security systems remains malware and attacks on the network. By not shifting the approach to cybersecurity, to put more emphasis on data leakage, could end up costing a company, especially now as the EU’s Global Data Protection Regulation (GDPR) has gone into effect.
The other concern with our current approach to cybersecurity, Subramanian told me, is the one-size-fits-all model across industries. When we talk about cybersecurity platforms and tools, we tend to discuss them broadly—you need this tool or that tool, this is what you have to defend, this is the best mitigation solution and so on. At a high level, that works because everyone needs to install the basics. And that’s the approach too many organizations take, using the same tools and platforms as the guys next door because that’s what works in that business.
However, Subramanian continued, a business within the life sciences industry is going to have very different security concerns than a company in the financial industry. Or within the healthcare industry, the office of a heart specialist will address security issues different from the dermatologist in the same building or the health insurance companies they deal with. That’s all because the data they need to protect is very different. The life sciences company will want to protect intellectual property, while the cardiologist needs to ensure the IoT devices used by his patients are protected from outside manipulation.
In my conversations with both Subramanian and Di Bello, we discussed what this changing face of cybersecurity would look like. To help me better understand, I likened it to an inverted pyramid. On top is the perimeter security tools that everyone—not just businesses—need to deploy as basic protection. It then condenses to the compliances that must be followed across multiple industries, narrowed to industrywide compliance and needs, down to individual businesses and even the data security necessary for separate departments within the single organization. Security protection becomes that specific because it is centering, not only on the data but the varying levels of protection different data requires. Interoffice email conversations likely won’t need the same type of security a database of patent applications requires.
Security Is About Trust
Trust was another message stressed during the conference. In a roundtable discussion, OpenText Vice Chair, Chief Executive Officer and Chief Technology Officer Mark Barrenechea talked about the importance of trust building between security provider and client. Because the nature of what has to be protected is changing, organizations need to trust that their information is safe in new and different ways.
Subramanian said trust is redefining the definition of cybersecurity. Organizations should consider three questions as they go into partnership with security providers:
• What is the meaning of trust?
• Who is a trusted authority?
• How much can you authenticate that trust?
Security platforms don’t know where the data is or how it’s used, Di Bello told me, making it difficult to protect that information. Knowing your data, recognizing how it can be compromised, and trusting those you bring in will be able to protect your information is the way cybersecurity should be shaped today. But we can’t do that until we are willing to change the way we think about security.