Approach Cybersecurity as Continuous Risk Management, with David Fairman of Netskope
A dozen years or more ago, the cybersecurity landscape was quite different from what it is now: “Endpoints” referred to the tower PCs on every desk, the perimeter of the LAN and local data center defined what needed protecting, and clouds were white fluffy things that floated in the sky.
Today’s security picture is much more complicated — plus, it’s one that’s prone to near-daily change. Organizations use technology for just about every function across the business, and topologies shift between different cloud providers and services, both on-premises and remote. Edge computing allows for resources to be placed closer to users for better responsiveness.
Cybersecurity practices from yesteryear don’t cope with the ever-changing situation well, and many organizations struggle to create protection from several point-products or platforms — some new, some legacy.
We looked briefly at Netskope’s real-time data-focused and cloud-aware offerings in a previous article. But here, we thought we would go straight to the source and talk to David Fairman, Netskope’s Chief Security Officer for the APAC, to see how the company’s ethos and methodology work in practice.
We began by talking about the complexity of today’s IT infrastructure and the massive variety of ways technology is used in the enterprise — especially how multiple SaaS instances have changed the threat landscape. How is Netskope addressing this software usage model? David told us:
“How Netskope helps organizations is that foremost, we’re a data protection-focused company. So, we care about understanding the data, the criticality, and the sensitivity of that data. We want to understand a number of attributes that are relevant to how that data is being used, manipulated, and shared. The relevant attributes are things like the identity, the user behavior, the device type, the network, and the data that are now being used within SaaS applications or cloud services.”
He noted that there are complications when personal and business SaaS uses coincide — for example, both the private and corporate uses of file-sharing service Dropbox.
“Within that SaaS application, there are multiple instances; it could be a corporate instance, it could be a personal instance, it could be a third-party instance […] We’re trying to understand all those different data points, coupled with understanding the data itself. [That’s] the criticality, the sensitivity of that data. We want to bring that together so we can establish the true context of the business use of that data.”
We suggested that the oversight of all data points has to come from an assessment of how the company works. David told us:
“We can help organizations assess the risk of SaaS-based applications and cloud services, we can help them assess the risk of, and the exposure of present and past services that they have deployed, and we recommend and help them with the tools to identify the secure configuration of IaaS or PaaS, the risk posture of SaaS apps and other services. [We] give them methods to help them rectify problems — within their risk appetite and their risk methodology.”
Risk analysis, therefore, becomes a critical component of any protective system. We mentioned Microsoft’s advice regarding Office 365 to turn off any CASB at the client end of the connection to ‘improve user experience.’ David said that like all best practice guidance, this would be factored into a broader risk assessment process:
“An organization will perform a risk assessment on any platform or application that it will use. And it will identify what its risks look like for the implementation of that technology or its capability. Off the back of that, I think they’ll make decisions as to whether or not they want to meet necessary, specified best practices, because, what is necessarily specified by an organization or by a vendor around best practices might not necessarily meet the risk appetite of the organization, or may not even be relevant depending on how this has been implemented or architected […]
“[…] Once we understand the true context of the data, we can then help organizations define the right policies that they want to put in place to control how end-users access and manipulate that data. So that’s where we play a role.”
Netskope helps organizations define risk in terms of the data’s value and can implement controls and protections based on real-time information about risk posture. That’s very different from historic cybersecurity approaches, which are technology-focused (the perimeter, the endpoint, the public-facing router, and so on).
We suggested that in many ways, Netskope’s approach seemed to be one of discovering, first and foremost, how an organization operates and what its strategic goals are: the business motives of the organization. Only then can cybersecurity — to protect those goals — be designed, implemented, and continously maintained.
“I think that’s a good way of looking at it, right. So yes, we are a security company, and we do provide organizations a consistent set of controls around how data is used. But ultimately, those sets of controls need to be applied in a way that understands the needs of the business — that understands the operations and processes of the organization. […] If you don’t understand how you operate, how your organization operates, and you don’t understand all those various different data points, it’s really hard for you to make the right risk-based, data-driven decisions around how you want to apply your security program or more specifically, your risk management program.”
The changing nature of how technology gets used every day makes prioritizing security based on risk more straightforward and effective in the long term. The insight here is that security policies should apply to a type of information, not just where that information happens to be stored (today) or by what means it is accessed.
Netskope is uniquely positioned to provide assessment, and ongoing protection as the enterprise’s topology and practices change over time. To learn more about the Netskope approach and how it can help your organization protect itself, read more here or request a demo today.