Whether cloud migration is a cause or effect of digitalization,
it is nevertheless a major part of the journey currently being
taken by business. Cloud cybersecurity
has different issues from on-prem cybersecurity – and may well
introduce new or adjusted pain points for CISOs.
Salt Security surveyed (PDF) an international
selection of 300 CISOs and CSOs to examine the cybersecurity
ramifications of digitalization – and it is worth noting that
almost 90% of them said that digital transformation introduces
unforeseen risks.
The survey is not an attempt to understand all security
challenges, but rather to focus on those challenges that are new or
expanded through digitalization. These challenges can loosely be
divided into functional, personal, direct cybersecurity, and
general.
The biggest functional challenge is qualified staff recruitment.
The underlying skills gap is not new – but it is exacerbated in the
cloud. Book learning (it takes a long time to research, write,
publish, distribute, and learn from a new book) cannot keep up with
new technology. And the alternative to book learning, experience,
is not yet available for new technology.
“Because digital services introduce new types of cybersecurity
attacks, its defense demands new knowledge and capabilities, making
the hiring of qualified talent essential,” notes the survey report.
Ninety-one percent of the respondents said that hiring qualified
talent is a significant issue in business transformation.
The top personal concerns are “personal litigation stemming from
breaches (48%) and increased personal risk/liability (45%).” This
is potentially a growing concern for all CISOs but is again
exacerbated with digital transformation. The underlying problem,
central to almost all the challenges, is the increased need for
speed that comes with business transformation. The faster you go,
the more likely you will make a mistake.
In May 2023, former Uber CSO Joe Sullivan was sentenced to three years’ probation for
covering up a data breach that happened in 2016. CISOs have always
been aware that their role can be the company scapegoat for
security failures, but there is increasing concern over legal
rather than just company liability.
Michelle McLean, Salt Security’s VP of marketing, suggests there
may be a linkage with one of the respondents’ primary cybersecurity
concerns: API security. “We talked about Shadow IT for years. Now
we have Shadow APIs,” she told SecurityWeek. “People are
building services and they’re not necessarily following all the
common best practices around those services. So, I do think that
the concerns over personal litigation are accentuated in a world
focused on digital initiatives because these services and these
products that we’re building, they’re all about sharing sensitive
data.”
The top three cybersecurity challenges coming from
digitalization are supply chain (38%), APIs (37%), and cloud
adoption (35%). “As the delivery mechanism for sharing data across
digital services and applications, APIs represent the key component
of digital transformation,” notes the report. “APIs also play a
particularly critical role in CISOs’ first and third concerns –
supply chain/third-party vendors and cloud adoption.”
Whatever way we look at it, API security is a major concern for
cybersecurity. Partly, the problem is again seated in the need for
speed. Digitalization is a business decision – and business needs
results from the process immediately. No developer sets out to
create insecure code, but the demand to build the code quickly
means that mistakes or omissions can and do happen.
McLean sees a further problem for the CISO. “I think most of the
time when we build a new app, we change the attack surface, but not
the attacks themselves.” When Kubernetes arrived, it didn’t change
the nature of the attacks, just the attack surface to be
defended.
“A lot of what you would look for as a security gap in a
container in a cloud configuration is very much rooted in the
structure of what you built,” she continued. “APIs are different.
It is in the running of the APIs. It is in the tweaking of the
calls and the manipulation of the process. Can I abuse it in this
way and pull back different information. You can’t test for that.
You can’t look at the code and see that gap. It’s all rooted in a
business logic flaw – and that’s what makes API security so
difficult.”
The primary general challenges specified by the respondent CISOs
are the rapid rise of AI (94%), macro-economic uncertainty and the
geopolitical climate (both at 92%). There is little that can be
done about the last two, but the CISO can at least use defensive AI
to counter adversarial AI.
This is particularly important in defending APIs. “The bad guys
are going to tap AI to get better at attacking,” said McLean. The
attackers will use AI to seek logic flaws in APIs long before there
is an actual breach – so the defenders need to be able to recognize
that reconnaissance phase. This can only be done with defensive AI.
“There’s no way for humans to keep up – there’s simply too much
traffic to parse,” she continued. “So yes, it will be used as a
weapon. And yes, AI also needs to be used as a defense.”
The big takeaway from this report is that CISOs should not
engage in a digitalization process believing that it’s just
business as usual. Digitalization brings new challenges, new
concerns, and new threats. One of the biggest dangers is that
business leaders may consider the project to be purely a business
project. Since the company already has a CISO, a security team and
a security budget, they may easily feel that security is already
handled. But both business and security must recognize that this is
new territory, and should not in any sense of the phrase be
considered just ‘business as usual’.
Related: The VC View: Digital Transformation
Related: Digital Transformation and Cybersecurity as a
Competitive Advantage
Related: Google Improves Android Security With New
APIs
Related: 16 Car Makers and Their Vehicles Hacked via
Telematics, APIs, Infrastructure
