Business & Technology
Last week the Fortinet community of elite customers, partners, executives, and global industry experts came together for two days of keynotes, panels and roundtable discussions during the Fortinet Championship Security Summit. This premier event kicked off the 2022 PGA TOUR Fortinet Championship, at the Silverado Resort and Spa in Napa, California. The Security Summit was also complemented with a Technology Vendor Expo.
Sessions and discussions provided critical insights into today’s most pressing cybersecurity challenges and how to solve them. With cyberattacks on the rise, the event allowed professionals to challenge existing knowledge and gain new ideas from peers and industry experts for further protecting their organizations.
Below is a summary of some of the trends discussed during the event, along with recommendations from leaders on addressing challenges and effectively defending against today’s rapidly evolving threat landscape.
Threats such as ransomware continue to become more sophisticated and aggressive, presenting challenges for security teams everywhere. According to the 1H 2022 FortiGuard Labs Threat Landscape report, the number of new ransomware variants identified in the year's first half increased by nearly 100% compared to the previous six-month period.
“We’re seeing adversaries upping their game,” remarked Renee Tarun, deputy CISO at Fortinet. “Threat groups that had not been active for months and years have become active given the attack surface expanding almost overnight with remote and hybrid work. These adversaries, when successful, are not only holding data for ransom but exfiltrating it and using automation and machine learning to increase the breadth of who they are going after. Adversaries aren’t discriminating which industry they are targeting.”
Matt Cowell, vice president of business development at Dragos, acknowledged that while digital transformation is undoubtedly positive for businesses, new technologies and processes are often adopted with security as an afterthought, leading to risk management gaps. “When organizations accelerated their digital transformation adoption, what adversaries saw and took advantage of is an increased attack surface,” said Cowell.
“This is why threat intelligence is so critical,” he continued. “If you aren’t aware that there are bad actors and what their latest methods are, you can be the next victim. Some opportunist groups have thrived in this remote and hybrid work environment. We saw large organizations that sped up their digital transformation but left open security gaps.”
Beyond threat intelligence, Erika Walk, senior director of digital business services at Waste Management, spoke about other countermeasures organizations should implement in response to the growth in new threat vectors. “It’s not a matter of ‘if’ but ‘when’ your organization will be affected by a ransomware attack. Organizations need to make significant investments in EDR and endpoint response agents as well as disaster recovery,” Walk said.
As the prevalence of organizations adopting work-from-anywhere (WFA) policies continues to grow, organizations are now facing more significant security gaps as a result, particularly if they don’t have the right security technologies and people in place.
"The pandemic drove the need for remote work, so digital transformation became a 'must have' instead of 'nice to have.’ But this introduced new risks as many people didn’t exactly know the role of cybersecurity as part of their digital transformation journey,” said Mary Beth Connolly, vice president of strategy at Schneider Electric.
But even when remote workers have secure access to critical resources, many organizations struggle to integrate those protections with the rest of their security architecture. Siloed security systems can make it impossible for IT teams to create and maintain cohesive visibility across their infrastructure. Bad actors who manage to compromise an endpoint device, especially those operating in poorly secured home environments, are often able to then enter the corporate network.
Chris Grusz, General Manager, WW ISV Alliances & Marketplace, Amazon Web Services (AWS), commented in regards to digital transformation that “how you move fast, but stay secure is a still an important question,” for many organizations today especially in relation to the cloud. He also spoke about how a shared security model is foundational to working with AWS for example.
With the volume of attempted cyberattacks on the rise, combined with major changes as to how and where employees work, security teams need sufficient resources—including skilled professionals—to address these challenges.
The cyber talent shortage continues to put organizations at risk and, in many instances, is a contributing factor in breaches. “CISOs are facing a daily onslaught and doing so with an extreme workforce shortage. One statistic shows that in the government and private sector, there are over 600,000 open cyber security positions in the United States,” said Suzanne Spaulding, former Department of Homeland Security (DHS) Undersecretary for Cyber and Infrastructure and Fortinet Public Sector Advisory Council (PSAC) member.
"Every organization is trying to do more with fewer people,” said Tarun. “Fortinet’s global survey regarding the cyber skills gap found that 80% of breaches were a result of a lack of cyber skills or knowledge.”
Chris Lukas, Chief Information Security Officer, Chevron commented, “If we think we are behind on IT cybersecurity professionals it is even more challenging for OT professionals.”
The good news is that there are several measures enterprises can take to close security gaps caused by the talent shortage. For example, panelists pointed out that security should be everyone’s job regardless of their role. Ongoing security education training programs can offer a solid foundation to help all employees become more cyber aware. Also training is not just for non IT employees, upskilling cyber talent and all IT talent is important for retention and also to keep skills current.
“It is everyone’s responsibility to be aware and take ownership of protecting their organization,” said Walk. “It’s not just the CISO who is responsible; it's the entire ecosystem that must have the cyber awareness and skills to leverage the basic tools inside the company. The more people feel ownership, the more organizations close the gap of risks.”
While organizations work to address a myriad of cybersecurity challenges, summit panelists shared essential practices and recommendations to help organizations strengthen their security posture.
Experts agreed that ongoing cyber awareness training for all employees and training that upskills current security professionals are critical components of addressing the skills gap. All employees are responsible for practicing strong cyber hygiene to keep the organization safe. At the same time, security professionals must keep up with evolving threats and changing attacker tactics, making upskilling programs essential.
Philip Kibler, head of cyber risk advisory at American International Group, Inc. (AIG), noted that the people within an organization often pose one of the largest risks. “Reduce the human factor where one wrong click can undo everything,” Kibler said. “Organizations need to actively train and phish employees to see where the knowledge gaps are and address them across your workforce. Your employees should be able to flag external emails that seem like phishing and your organization should use email filtering.”
Others pointed to specific technologies or strategies organizations can implement that help employees—and their organization—be more secure. “All employees should be using multi-factor authentication and understand the importance of the tools in place to protect themselves and their business assets,” said Amanda Kane, director at Guidehouse.
Fortinet’s CFO, Keith Jensen and Patrice Perche, CRO & EVP Support both spoke about the commitment Fortinet has made in this area to offer free training and help educate and upskill anyone interested in learning more about cybersecurity. Fortinet last year bolstered its commitment to address the cybersecurity skills gap by pledging to train 1 million people globally across the next 5 years through its Training Advancement Agenda (TAA) initiatives and Fortinet Training Institute programs.
Experts stressed the importance of adopting a Zero Trust approach to security as a critical step in the fight against cybercriminals, beginning with the implementation of ZTNA.
“There is a lot of blind trust in our industry,” said Mike McGlynn, World Wide Technology’s Vice President for Global Security. “Organizations must shift to zero trust models where they're always verifying the user, verifying the device, and limiting access. Organizations need to ask themselves, ‘Do I trust this user and the resources they have access to?’”
Tarun agreed, noting that implementing ZTNA is “one of the top things organizations can do to protect themselves.”
Fortinet’s CMO and EVP of Products John Maddison added, “It needs to be universal for ZTNA to work well. The most complete support for work-from-anywhere needs to be a universal approach that is consistent on-prem, in the cloud or as a service via SASE.”
Leaders spoke about the need to reduce the complexity of security processes and tools, and many recommended consolidating technologies as much as possible to simplify operations.
Fortinet Founder and CEO Ken Xie noted that the highest cost related to security is management. “Consolidation offers a way to save investment and make management easier,” Xie said. He added during an Executive Q&A panel, that this has been central to Fortinet’s innovation approach since the start.
“Most organizations have about 43 different tech solutions in their environments and realize the value of scaling down to seven or eight vendors. Having different technology and solutions that don’t work and play well together is a lot to maintain. To reduce complexity, organizations need to make management easier and reduce costs, finding solutions with a high degree of automation and integration,” suggested Tarun.
Consolidated technologies help security teams operate more efficiently and pave the way for implementing automation. “Organizations need end-to-end security and should reduce the number of vendors to ones that have solutions that can look at the entire threat landscape and fill gaps. Solutions that provide integration and automation are also critical,” remarked Walk.
Security teams benefit from pressure testing their playbooks even if they have the right tools, processes, and people in place.
“It’s so important for organizations to do regular cyber assessments or audits. For a good baseline, I would look at NIST, which outlines different kinds of controls and security frameworks. Looking at the maturity of different areas of your program can help prioritize where the gaps are and how to fix them,” said Kane.
Cowell offered another approach to getting started with an assessment and recommended thinking about what “a bad day looks like” at an organization. “If an adversary had access [to your environment], what could happen? Have an incident response plan and test it,” he said.
Managing risk was a key theme throughout the sessions. The good news is that because risk can be defined as a combination of consequence, vulnerability and threat, organizations can more easily describe why something is a risk and then work towards mitigating that risk. The unfortunate news is the most panelists agree the risk is increasing given the evolving threat landscape, growing attack surface, and cyber skills talent shortage.
Suzanne Spaulding, offered some tangible takeaways when considering managing risk. “Cybersecurity is an exercise of risk management, not risk elimination. We cannot rely only on our CISOs and IT leaders to manage risk. Boards need to take on the risk tolerance decision as well.”
Suzanne spoke about managing the consequences if breached in an effort to manage risk strategically. “This can reduce the attractiveness and outcome if attacked.” Suzanne also advised organizations to keep a focus on managing consequences. “Hardening networks to make it more expensive to get into the network in the first place is important. This can also help reduce the benefits of successfully attacking an organization.”
Gary Locke, Former Governor of the State of Washington, Secretary of Commerce, and Fortinet Public Sector Advisory Council (PSAC) member discussed with Public Sector Field CISO Jim Richberg about how “government is here to help but if the first contact is in the middle of a breach that will add stress to an already stressful situation.” They advised to plan ahead and begin a relationship with government organizations before an attack to help manage resiliency and risk consequences.
Fortinet Public Sector Advisory Council (PSAC) member, General Sir Richard Shirreff spoke about how risk management underpinned everything as a soldier. “Any organization needs to think about risk management and resiliency, not just risk management.” In addition, he added, “the strategies applied in the military to manage risk are relevant to any business today,” given the heightened threat environment organizations face.
Former Commissioner and Fortinet Public Sector Advisory Council (PSAC) member, Rachelle Chong, spoke about new and emerging cyber risks focusing on resiliency and reliability of the electric grid in a time of global warming, wildfires and other natural disasters. She offered perspective about how advanced communications trends have impacted the electric sector and the drivers behind the rise of smart grids, smart homes, IoT, microgrids and the electrification of vehicles.
From implementing cyber awareness training programs to ZTNA solutions, experts offered numerous recommendations throughout the summit to help security leaders enhance their strategies.
Fortinet's John Maddison also pointed to the benefits not only of product and vendor consolidation but of the true convergence between security and networking. He noted that the move toward security-driven networking results in “a more concise system” that’s essential for securing an organization's dynamic infrastructure. He described consolidation as a way to focus on less vendors whereas convergence aims at converging features together even across networking and security. With an integrated security platform, organizations can readily embrace digital transformation and expand their operations without exposing critical resources or new attack surfaces. Fortinet’s Founder and CTO Michael Xie added for example that, “FortiOS is the foundation of Fortinet’s Security Fabric,” enabling consistent, coordinated security at-scale, across networks, endpoints, and clouds.
The Security Summit is made possible in large part to Fortinet’s Premier Sponsors.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.