At the height of the COVID-19 pandemic, organizations across all sectors experienced a surge in the number of endpoints connecting to their networks. In 2020, when companies, educational institutions, and government agencies were forced to operate remotely, endpoint connections represented critical lifelines that served to eliminate business interruptions.
But even today, despite some organizations contemplating and implementing return-to-office policies, endpoint connections are still on the rise. And each mobile device, cloud account, and Internet of Things (IoT) endpoint that connects to a network makes an organization’s attack surface just a little bit bigger than it was before. This creates a larger target and a new, possible network vulnerability for malicious cyber actors to seek out and exploit.
Meanwhile, as hackers are sharpening their skills and searching for network vulnerabilities to take advantage of, organizations’ IT departments are facing an extremely troubling, parallel situation: a cybersecurity workforce shortage. With cyber-attacks on the rise and a security workforce on the decline, organizations are having to figure out new ways of addressing the security and protection of their networks.
To get a clearer picture of the current cyber threat landscape organizations are operating within today, as well as learn about the cybersecurity tools and technologies that organizations can leverage to bridge today’s workforce shortage and protect their networks, the GovCyberHub sat down with IBM Security’s CTO, Jeff Crume.
Here is what he had to say:
GovCyberHub (GCH): What does the current cyber threat landscape look like for organizations? What are some of the common cyber risks and threats they are presently facing?
Jeff Crume: One of the most common risks that we are seeing across all sectors stems from the fact that more endpoint connections are being linked to organizations’ IT networks. This inevitably leads to expanding attack surfaces, as the use of unauthorized cloud services, Internet of Things (IoT), smart devices with network connections, and Bring Your Own Device (BYOD) practices continue to swell.
At the same time, we are seeing widespread use of AI in the form of chatbots, many of which are prone to providing false information – what we call AI hallucinations – and leaking sensitive information that has been shared with them. All of these make the task of maintaining visibility and control much more difficult for cybersecurity professionals.
GCH: How much progress have organizations made in rolling out zero trust security controls and procedures across their IT infrastructures?
Jeff Crume: I believe a lot of progress has been made, but there is still much more to be done. I view zero trust as a set of principles and paradigms that should be applied to an organization’s cybersecurity policies and protections. These are aspirational and should be something we continue to strive for but, in fact, will never fully achieve.
The ultimate goal is to reduce risk, but we can never reduce this to an absolute zero unless we are willing to simply turn off all of the systems, which is not an option. As long as a system is operational, it brings some risk.
Fortunately, zero trust gives us some solid guidance as to how to bring that risk down to an acceptable level by raising awareness of implicit trust in our systems, so that we can make informed decisions as to how we can replace this with verified, justified trust, where possible.
GCH: What common struggles and challenges have organizations come up against as they work towards achieving zero trust? How well of a grasp do they have on their zero trust plans and architectures?
Jeff Crume: I think the first is in identifying implicit trust. Meaning, where have we assumed that something was secure when it really wasn’t? Did we assume that the good guys are “in here” and the bad guys are “out there?”
The rise of remote work during the pandemic should have removed any such notions since there really is no “inside” or “outside” when it comes to networks, as good guys and bad guys are in both spaces. Assume that the network is hostile. Assume that the attacker is already in your database. Assume your server or your app has already been breached. Now build your security based on this new set of assumptions and you will find that you look at everything differently going forward.
Too many people have written off zero trust as just “defense-in-depth” or “extreme principle of least privilege,” but it’s more than that. It’s also the assumption of breach that really is the game changer that I think most have not fully grasped.
GCH: It is no secret that the nation is facing a cybersecurity workforce shortage. What impact is this talent shortage having on organizations’ IT teams, and their security postures in general? And what impact, if any, does it have on zero trust roll out and implementation?
Jeff Crume: The first impact is that we do not have enough people to keep up with current threats, much less take a broader, more holistic view with zero trust principles. We are so busy fighting fires that we rarely have time to think about how to prevent them. The good news is that we do have good tools today that can help.
In the 2023 IBM Cost of a Data Breach Report, we learned from surveying 3,000 people from more than 500 organizations that the number one way to reduce the cost of a data breach was through the extensive use of AI and automation. This reduced the cost on average by $1.76 million and lessened the time to identify and contain a breach by 108 days.
This is proof that tools make a difference if we use them well. Therefore, to the extent that we can leverage AI and automation as force multipliers, we can compensate for the lack of staffing through greater efficiency and speed.
GCH: How has IBM helped organizations overcome these workforce challenges? And what products and/or services are available that can assist in modernizing and automating their cybersecurity architectures and zero trust policies/procedures?
Jeff Crume: I lead a team of cybersecurity architects who have engaged with many clients to help them better understand their current zero trust postures and develop a list of prioritized initiatives that will enable them to achieve their goals in this space.
We offer tools that help identify and manage threats, automate and orchestrate incident response, lock down identities, and identify and protect sensitive data. All of these tools leverage AI today and will do even more in the future.
Current research into large language models, generative AI and chatbot interfaces promise to make cybersecurity even more effective in the future as we lessen the burden to protect, detect, and respond to threats in real-time.