Network infrastructure has to be simplified to increase security against cyber attacks, Canadian telecommunications executives have been told.
“The opportunity as we move forward is to look at what we can do to simplify the environment, to build security in at every intersection point,” Karen Worstell, VMware’s senior cybersecurity strategist said Monday at the annual Canadian Telecom Summit, “because the cost of not doing that is going to be a world without trust.
“Complexity is the enemy of security and the opportunity for cybercrime.”
“We really do have our work cut out for us,” she said. “Technically we understand what to do. It’s in the implementation of it, whether we have the will to take the time and investment to make it happen.”
Worstell was appearing on a cybersecurity panel, which included Ann Cavoukian, executive director of the Toronto-based Global Privacy and Security by Design Centre; Scott Poretsky, Ericsson Canada’s director for security for network product solutions; and Vanessa Little, global chief technology officer at Interdynamix.
Telecom networks are more open today, Little pointed out, with less vendor lock-in. But, she added, that also opens new integration points, which, in turn, are potential security and privacy risks. That’s true particularly because network systems are gathering more data.
“We have to take more consideration into how this data is secured, not only when data is at rest. When it is in transit is a huge concern.”
“When an operator moves to the cloud, the operator is still accountable for the data and privacy,” Poretsky reminded listeners.. “It is not the third-party HCP (hyperscaler cloud provider) running the public cloud that is accountable.”
Cavoukian emphasized the importance for any organization to build privacy and security principles into their operations and products. There’s a trust deficit now between consumers and organizations, she said, and it’s mounting.
“When I speak to boards and executives they first shake their heads because they think I’m going to put the brakes on what they’re doing,” she said. “Once they hear privacy and security can build trust, they are all in. So build privacy and security into your operations and let customers know what you’re doing. You will build enormous trust.”
Little agreed. “Without securing data upfront we’ve already failed.”
What she called “yesterday’s security model” — where every application is secured in a different way — can’t be applied to modern networks.
“Networks are becoming so complex, applications are gathering more data than ever. Ann’s approach of baking it [security and privacy] into the platform before you even build it [means] you have to build it from the top down.
“Security has to be at the forefront not only when you design the network but when you write the applications that are going to sit on it.”
“The opportunity in front of us is to create a business agility framework that is also secure,” said Worstell. “We need to get a fresh perspective on how to approach security in a way that says, ‘This is not a blocker, it’s an enabler.'”
“We have so many surfaces to defend, so many silos where we don’t have context visibility in the environment today. How do we change that?” she asked.
One way, she suggested, is by taking security out of its silo. At AT&T Wireless she was not only CISO but also the chief technology risk officer. So instead of always bringing a security view to an issue she also needed a technology risk view — what was the risk of not delivering a service? of not making applications successful?
“We had a balance,” she recalled. “We weren’t opposing teams, we were on the same team. That enabled us to get some incredible progress done on overhauling and re-engineering security … “By looking at it [security] differently and realizing we’re all on the same team, that security shouldn’t be in a spoiler role, I think we can change things and make them better.”
On the other hand, speakers weren’t optimistic about the ability of IT to slow cyberattacks.
“I don’t think we’ll ever catch up,” said Little. “Historically the IT industry has never been able to say we’re hacker-proof. We’re getting better, and now that there are financial models being built to incentivize companies to address security way in a more holistic way, it’s helping,” But, she added, there are “armies” of threat actors. “We as the IT industry need to evolve as quickly as they do and do the best we can to say ahead of them.”
Many threat actors don’t want to smash and grab data, Little warned. They want to maintain persistence on a network. Too many organizations focus on having first-mover advantage, she said, but do it at expense of privacy and security. They hope they can “mop up the mess later.”
Boards of directors Cavoukian talks to are nervous about data breaches. “I think they’re finally ready to invest a little more than they used to [in security],” she said.
One easy step, she advised, is to strip personally identifiable indicators from data once it’s been used for the purpose it was collected for. That minimizes privacy risks enormously, she said.
The conference continues.