Spencer Young Uncovers the Future of Application Security, AI and Cybercrime
Spencer Young, Regional Vice-President EMEA at Imperva, explores challenges and opportunities on the emerging application security market.
Spencer Young, Imperva’s Regional Vice-President, EMEA
Today, we are excited to welcome a well-known security veteran, practitioner and executive – Spencer Young.
Spencer Young has served as Imperva’s Regional Vice-President, EMEA, since May 2016. In a career spanning 30 years, Spencer has worked in a range of sales and senior leadership positions for companies including Kaseya, Synopsys & Interwoven, as well as IBM and Xerox. He has been in the Cyber-Security industry for over 8 years and is passionate about helping CISO’s and CIO’s to gain value from their cyber-security investments.
Below are ten sophisticated questions answered by Spencer:
1. Why do many organizations still regard cybersecurity as a burdensome cost rather than an investment?
Unfortunately, this is still the case depending on the type of business environment a company is in. We see that in heavily regulated industries such as Financial Services, Telecommunications, Utilities and Retail, they now regard cybersecurity as a fundamentally necessary “investment”, in that it will protect their top and bottom lines, and if a public entity, their share price and ultimate company valuation. Businesses exist on Data, and cybercriminals monetize on one thing – gaining access to or stealing Data....
The issue historically with most other industries, is that spending on cybersecurity has been seen as a form of “insurance” – and who likes paying for insurance?!..businesses have spent the bare minimum they feel they have to and will accept “good enough” technology to simply be “insured” – that is, until the moment they suffer a data breach, or a DDOS attack, or are held to ransom by a cybercriminal who has gained access to information through web applications.
John T Chambers is famously quoted as saying, “There are two types of companies, those that have been hacked, and those who don’t know they have been hacked”
“There are two types of companies, those that have been hacked, and those who don’t know they have been hacked”
Smart companies recognize that investing in Cybersecurity can add competitive advantage, and be used for improving revenues and profits, rather than as an insurance premium that must be paid, or simply to be “bare bones” compliant with industry or government legislation
2. How much time should BoDs allocate to cybersecurity and privacy topics without detriment to the core business?
This depends on the business itself, the regulatory requirements on them, and the value to them of the data they hold and use for their business to be successful. We must all start with ensuring that all PII data is protected and that we comply with GDPR, or local legislation, from there, the time spent on cybersecurity and privacy should directly correlate to the value of the data they hold. If you are a bank, or a utility company, or an on-line retailer, you cannot afford a data breach, or to have your on-line business unable to trade due to a Ddos attack. We at Imperva work with the BOD’s of many companies in these sectors, who can directly relate lost revenue and profit to web-site downtime, or the impact of a data breach on their share price for example. Therefore, they see cybersecurity as a fundamental part of their “core” business and want assurances from their CISO’s or CIO’s that A. They are protected from risk, and B. That the company has a defined security strategy and posture designed to meet the demands of the business, and to support its goals.
3. What cybersecurity companies can do to make their offering economically practical for their clientele?
Cybersecurity solution providers and vendors can do so much more to make their offerings economically viable for their clients. We see 3 key areas in which customers are demanding change and input from their providers;
- Focus on the return on my investment, not the fear of loss, or just the risk factor. How can you show me a tangible business return on an investment my company may make with you? Can I reduce my investment in other technologies or processes for example?
- Remember that I do not have a limitless budget, and need to justify Cyber investments in the same way I must justify an investment in say, a new CRM system – How can you help me build a business case for my Board that can help me secure the investment I need?
- As we transition our security posture from traditional on-premise technology solutions to the cloud, be that hybrid, private, or public, how can you ensure that my investment with you will cover that transition? I don’t want to be paying twice after all! – Imperva launched a solution called “Flex-Protect” in 2017, that enables our customers to invest in a usage capability of our products, regardless of where that capability is needed, be that on-premise, or in the cloud. This makes the investment economically practical, as most companies don’t know how long the transition will take, so have the peace of mind of complete price protection and capability regardless.
4. How can Machine Learning and AI help solving sophisticated tasks in cybersecurity?
This is a hot-topic right now and has been the subject of much debate across the industry for some time.
The value we are seeing now in where Machine learning and AI is really helping customers, is firmly in the arena of helping them to automate what traditionally have been complex human decisions. For example, take the huge issue that SOC teams face today with the volume of security alerts they receive daily. These businesses have invested heavily in all manner of alerting tools designed to tell them when a potential risk arises.
The issue is, that these teams receive so many alerts, they simply cannot investigate them all, and have little idea on how to prioritise them. On average companies are only investigating 1-2% of the potential risk alerts they receive, which is simply not sustainable.
Machine learning is already helping these teams to group and categorise alerts, so they know the high-risk places to start, and they can maximize the human effort required to investigate and mitigate.
“Machine learning helps group and categorise alerts, lets you know the high-risk places to start and maximize the human effort required to mitigate.”
One note of caution – Cybercriminals are also using AI and Machine learning to their advantage, so we cannot think that this will eliminate risk – it will help us to be more efficient in finding and resolving issues, but will not take away the risk.
5. Do you see any substantial changes on the cybersecurity market since GDPR enforcement in May 2018?
No, because no organization has been fined for non-compliance yet. There is a natural “curve” for adoption of compliance and it is early days for GDPR, despite the fear of financial penalties.
What we are seeing across the globe, is that smart CISO’s and CIO’s are using the compliance requirement of GDPR to secure the investments they have been seeking to make in areas like Database activity monitoring, or data masking for example, for some time. GDPR has certainly heightened awareness within BOD’s in Data security solutions, that was not there before.
6. What is the future of web application firewalls (WAF) market?
The WAF market has gone through several changes over the years, beginning in the early days with reverse proxies onsite, then non-inline WAFs onsite, then moving to some consolidation of WAFs into load balancers with some WAF vendor acquisitions, then finally to SaaS WAF combined with CDN and cloud load balancing. Yet, through all of that, the WAF itself remained unchanged, and the focus of its security remained the north/south or ingress/egress traffic of web portals. Over the last several years we’ve witnessed the transformation of businesses and business applications from on-premise to managed cloud environments. This further gave rise to significant redesign of application development. While plenty of traditional/legacy web applications still exist today and still need security, the modern era of web application design requires security that can grow with it, at its speed, and meet the demands of its multi-component, microservice, serverless, etc architectures.
“While plenty of traditional web applications still exist today and need security, the modern era of web application design requires security that can grow with it.”
What does this mean for WAF? Like most security, all the early year needs still exist, but the adds to WAF, include what were separate components that now are better suited to a single stack. Things like, API security, BOT detection, Anti-DDOS, cloud based WAF, host based application security, patch elimination, Anti-fraud, etc.
In the not too distant past, we recognized the beginnings of this convergence with anti-DDOS in the cloud. WAF was the natural pinch point for traffic. Today, all leaders in the WAF space offer anti-DDOS and for most the customer demand is high, allowing users to discard on-perm boxes for Managed SaaS Anti-DDOS mitigated outside the customer infrastructure.
Like Anti-DDOS, anti-Bot is also in the process of convergence to WAF. Most major WAF vendors offer anti-bot embedded in their offering and while there are some stand alone BOT vendors still in the market, they are likely to partner or go through acquisition as this merge continues.
Most recently, we saw the merge of Runtime Application Self Protection (RASP) with WAF, highlighting the first time WAF vendors have directly entered the API, Serverless, east/west DevOps arena. I think this is further indication that WAFs are a critical part of general security infrastructure and, like network firewalls before them, their presence is requirement within successful IT Security web application strategy.
7. Apart reading Gartner, how can cybersecurity decision-makers select a best cybersecurity product without facing vendors' bias?
There are a few ways decision makers can select a cybsersecurity solution without facing vendor bias. Yes, analyst organisations like Gartner, Forrester and IDC have a plethora of research data on most leading products in the space, so are often a good place to start.
For those who want to dig deeper, another area where they know they will receive honest and candid feedback is in their peer group, and their network of contacts. We forget just how connected CISO’s are for example – they do talk frequently with their peers, and will ask openly about why someone made an investment in solution X, and what alternatives they considered.
Another approach to consider is to engage with security solution distributors and resellers, who will focus more on finding the right technology fit to solve a business problem, rather than try and find a problem that only the technology they represent can solve.
Finally – and as a vendor I have to say this, but because I believe it – challenge the vendors you engage with to “prove” everything. One example is to ask to speak with customer references to support proof points of the capabilities or approach they purport to have.
8. Do you think that Western cybersecurity companies can do business in countries like Russia and China?
I absolutely think that Western cybersecurity companies can do business in countries like Russia and China, and many do, very successfully. (Indeed, Imperva is one of those companies). The key is to build local relationships with the right partners and build a local eco-system, and to understand the specific nuances of trading in these regions.
Whilst the current political climate does not help them invest in “non-local” technologies, the business goals of companies in these regions, and their desire to protect themselves with best of breed solutions, are no different from anywhere else. Nor, for that matter, is the value of the data they hold and the risk to them should they be compromised.
9. What can be done by companies to prevent sophisticated APTs by nation-state actors?
Unlike most cyber criminals, APT attackers take a long term view of their targets, will adapt quickly to “normal” cyber defences and are relentlessly focused on destroying infrastructure, stealing data or simply disrupting business or departmental operations.
Apart from ensuring that they have the fundamental network, web, data and application defences in place, companies must be abreast of the APT groups they are susceptible to attack from, the attack vectors they use, and the malware associated.
Companies must invest in understanding if they are likely to be a target, and more importantly why. From there, the focus should be on a specific strategy to secure the assets at risk. The first step to achieve that, is very often to classify that data, through a data discovery exercise that will help them understand exactly where all those key assets reside. I’m constantly amazed at how often companies simply do not know where all that at-risk data may be within their systems.
10. Which vendor-neutral cybersecurity events would you recommend to CISOs?
I have been fortunate enough to attend many CISO focused events and I believe that the one’s most valuable, are those that focus on open-forum participation, panel based discussion on key “of the day” topics, and those that help CISO’s learn and network with their peers around best practices. The Gartner CISO summit delivers on this, however the most impressive event I have attended in recent years is the HTB Group’s Geneva Information Security Day – largely because the event is for senior leaders only, and that it promotes all the above, plus insights into industry trends that matter to the audience.
“The most impressive event I have attended in recent years is Geneva Information Security Day – largely because the event is for senior leaders”