Passwords and firewalls are so yesterday, says Ed Giaquinto, CIO of Roseland, New Jersey-based Sectigo. Today, protecting a company from cyberattacks means understanding the latest threats, ensuring all employees are properly trained in the most cutting-edge approaches and ensuring the “interoperability” of your security products.
How has the role of CIO shifted in light of evolving cyberattack tactics?
Traditionally, a CIO’s primary responsibility is to align technology and technology-based decisions with business direction and processes. This alignment is meant to provide the business with the data it needs to readily adapt to change. Cybersecurity is simply another stream of data, which needs to be accounted for, and aligned with the business.
Today’s cyberattacks are evolving and becoming increasingly sophisticated, affecting the many different components of a business. The entire business needs the correct information to adapt to the ever-changing threat landscape, and it is the role of today’s CIO to supply that information.
Included in that role is coordinating cybersecurity training for all employees. It is important that all employees, regardless of their location, receive regular training on cybersecurity best practices to safeguard themselves and their company’s data.
Equally important, CIOs must guarantee employees receive digital certificates for identity verification. This ensures employees are aware of risk, have been instructed and tested on prevalent techniques of compromise, and have public key infrastructure-based digital certificates embedded in their devices to validate their identities when accessing the device and other corporate resources.
CIOs also need to prioritize both cybersecurity training and securing and managing the increasingly massive amounts of human and machine identities with digital certificates, issued by certificate authorities. They must optimize their certificate lifecycle management processes if they are serious about strengthening their organization’s defenses. CIOs can achieve this by choosing simpler ways to manage the digital certificates that establish digital trust across the enterprise—CA-agnostic solutions capable of delivering the stability and reliability are independent of certificate term, purpose or issuing CA.
As organizations move to a passwordless future, what are the first two changes we can expect to see in security protocols?
First, we need to recognize that most “passwordless” systems are not truly passwordless. What they do is simply find clever ways to obscure the password which is still required to access disparate services and data. Passwords have weak security, and it is too easy for bad actors to steal, guess or socially engineer these shared secrets and access sensitive data.
Using PKI-based digital certificates to reduce and eliminate passwords is a highly secure alternative form of authentication for user and machine authentication, code signing, data and email security. This identity-first security approach involves a cryptographic key pair of a public and private key to ensure sensitive information stays private.
CIOs and their businesses today can’t rely on outdated cybersecurity practices that involve passwords. Everything must center on strong identity-first security, and true passwordless authentication is crucial. For truly passwordless technologies, security protocols will need to change relative to the technology being used to implement passwordless solutions. In the case of a PKI-based solution, protocols will need to be established to validate individual identities prior to certificates being issued, and then revalidated as certificates get re-issued.
What are actionable ways organizations can secure the remote workforce with increased dependency on enterprise networks?
Bad actors continue to use identity as an attack vector. The move to remote work has accelerated over the past couple of years, creating an easy gateway for cyber criminals and keeping IT teams busy. New operating models for workforces have made for an explosion of human and machine identities all requiring remote access to enterprise networks. IT security teams can no longer simply protect their network architecture with firewalls. Today’s complex environments now include mobile devices, cloud environments, DevOps, BYOD, IoT devices and more.
Enterprises need to recognize that with an ever-increasing number of digital certificates in use, the likelihood of a breach caused by poor certificate management is very real. Adopting an identity-first security posture to establish digital trust is a key security measure for companies to mitigate risk and even prevent cybersecurity threats from occurring.
Organizations should put digital identity and cybersecurity solutions hand-in-hand with openness in their cybersecurity strategy. To secure the new digital landscape, enterprises need a comprehensive certificate lifecycle management solution and a constant re-evaluation of their cybersecurity strategy—especially as the prevalence in hybrid working will only increase remote access to enterprise networks.
How can cybersecurity solutions become more cohesive in bolstering network security and strengthening critical infrastructure in the current threat landscape?
Interoperability and openness will be essential in all next-generation identity, cybersecurity and PKI products. Importantly, organizations will find benefit in minimizing the amount of disparate security products they use to make management more seamless. Interoperability will be key to enable orchestration between vendors and products and pave the way for automation for CISOs, CIOs and their organizations.
Protecting our critical infrastructure is more important now than ever as threats continue to escalate. SolarWinds raised awareness of the nature of such cyberattacks and how crippling they can be to enterprises in the long run. CIOs need to deploy technology more advanced than the risks associated with it and interoperability creates the efficiency to do just that.