July 31, 2019
Security is really about money, said Mark Weatherford, global information security strategist at Booking Holdings in his keynote speech at the 2019 Cyber: Secured Forum.
“We need to spend more time thinking about the adversaries’ goals because they are more and more about the money,” Weatherford said. Supply chain threats, he noted are a growing concern for many organizations.
Thinking about the components that go into physically securing the supply chain highlights the risks and the growing need for attention to securing the technology underpinning it. “Cybersecurity can interrupt that supply chain in a variety of different ways,” Weatherford said.
In addition to these threats are those that come from the Internet of Things (IoT), which has become more concerning as organizations continue to blend IT and physical security together. “We are in this perfect storm of cybersecurity,” Weatherford said referencing a slide he had used in a talk 10 years ago. Many of the risks on the slide had not changed.
With all the talk about 5G, IoT security becomes even more critical. “When we add 5G and IoT together, there are going to be more endpoints out there than we know what to do with,” Weatherford said.
Innovation isn’t slowing down, but security isn’t keeping up, largely because – as Weatherford points out – there is no ‘S’ in IoT. “Businesses are integrating technologies faster than they can keep up with it.”
One major hindrance to security is the skills gap. Faced with staffing challenges, organizations have found that it is easier to buy technology than it is to hire, train and retain people who can develop processes.
Companies need to figure out where they are spending money on people, policies, services and cybersecurity. “People spend so much money on technology, but we are not spending money on people and processes,” Weatherford said.
According to one study Weatherford quoted, the average company has 55 security products, which he believes is actually a bit low. Still, companies are seeing a positive effect on their security spend. As such, organizations should identify their own “security poverty line,” so that if they are spending below that number, they can see where they need to increase their investments.