Leading CISO Wants More Security Proactivity in Australian Businesses to Avoid Attack ‘Surprises’

The complexity and change experienced by organisations as they grow is one reason we are seeing similar cyber security risks to a decade ago, says Rapid7’s CISO Jaya Baloo. However, quantum computing is one emerging risk where we could stay ahead of the game.

Speaking on ethics in information security at the 2023 Australian Cyber Conference, Baloo said the Australian market has truly woken up to cyber risks in the last year due to a number of high-profile data breaches that have affected millions of Australians.

Baloo told TechRepublic proactive mapping of assets and vulnerabilities, consistency through times of organisational growth and planning ahead for risks like quantum computing could help Australian security pros step off what can feel like a “hamster wheel.”

Jump to

Organisations lack full understanding of assets and vulnerabilities

Despite talking to organisations about similar risks for a decade, Baloo said that many were “still surprised” when a lack of understanding of the assets they had and the vulnerabilities that were on those assets led to them being the victim of a cyber security incident.

“We still don’t have a full understanding of our footprint, a critical thing for an enterprise, and we wind up surprised if we have an exposed API, issues with credentials being made open or a dataset aggregated for an AI learning model that was open to everyone,” Baloo said. “It is not enough to have effective remediation.

“We should know ourselves, but we still don’t. For example we don’t understand our networks and systems, and we don’t deploy the same standards for internal products as we do to test environments — which we should, but we don’t.”

SEE: A definitive guide to evaluating cybersecurity solutions.

Old vulnerabilities were also creeping up into new products in new tech stacks, Baloo said, because, as an industry, “we haven’t done the security-by-design thing very well.”

Business growth making cyber risk control difficult

Part of the problem is a lack of discipline in the way companies have grown. Baloo said this leads to companies or departments adding new services, for example, or taking them away, without necessarily documenting these changes or following a thorough process.

This often happens when companies grow through acquisition or become a part of a bigger entity themselves, creating a lack of documentation on total external and internal assets.

“We don’t do that well, we don’t execute through these changes in a consistent fashion,” said Baloo.

SEE: Take advantage of TechRepublic Premium’s change control policy.

Baloo said attack surface management automations in the form of third-party risk scores were also not always correct in estimating what belonged to a company.

“We have an imperfect third-party external view and internal view, which is the most important stuff,” said Baloo.

Multicloud expansion is exacerbating data security risks

Cloud computing growth has exacerbated the risk of organisations losing track of their assets and vulnerabilities. Baloo said the ease of spinning up cloud assets, often not taken down, and slightly different services for logging, identity and monitoring added to overall complexity.

“Identity, for example, is set up differently (in different cloud environments), and that is the prerequisite for all the other stuff we do,” Baloo said. “If you are not doing that right from the get go and harmonising that across cloud stacks, it can be easy to screw everything up.”

Harmonise clouds to reduce complexity

Organisations should ask themselves what they are putting in the cloud and why, Baloo said. Pure “lift-and-shift” operations — which would see old applications just “flopped down somewhere else,” even when using some cloud native features — would be best avoided.

“In a multicloud environment, you need to ask how you harmonise the different cloud environments you are using,” Baloo said. “You should have a baseline for what you want on different platforms, how they are set up, then pull that back to centralised or native monitoring. We need to find a way to do this without it being incredibly complex.”

SEE: Here’s everything you need to know about multicloud.

If data is being shared cloud to cloud, Baloo said IT needed to know what that flow looks like.

“Even there can create points of failure,” said Baloo. “What are those from a topological point of view?”

The risks of quantum computing a test of industry proactivity

Quantum computing is one area where proactivity could put IT ahead of the game. With the first quantum computer potentially five to 10 years away, there is time to invest in replacing existing encryption algorithms before they are made redundant for defence by quantum computers.

SEE: Australia is looking at an “assume-breach” approach to combating cyber attacks.

Baloo said the question that should drive action is what data we want to protect and for how long. If Australian organisations want to be able to protect healthcare data for the lifetime of a patient, or even intergenerationally, Baloo said quantum computing now means “we don’t know how to do that.”

“Quantum computing is an area that I am worried will be just like AI,” said Baloo. “It won’t be prioritised as super important until it actually hits us. It is coming, so I would like to see us plan ahead. Let’s not be chickens with their heads cut off when it does hit us.”

Getting ahead of the quantum game

The solution will probably be a combination of both quantum communication networks, like those being developed in China, and post-quantum algorithms, Baloo suggested. However, the important thing is having enough time to undertake the transition before it is too late.

“We suck at change; we are terrible at it,” said Baloo. “Getting everyone in the same place and to the same level of understanding to invest in that transition is going to be a difficult thing to do. But if we wait until there is a quantum computer, then we are screwed.”