Industry Trends

Field CISO Q&A: Jonathan Nguyen

By Fortinet | October 17, 2019

We regularly provide Q&A pieces with Fortinet executives to share their key insights and leadership perspectives. The following is from an interview with Jonathan Nguyen-Duy, Vice President, Global Field CISO Team at Fortinet, that touches on common challenges that C-level executives face, the future of cybersecurity, and experienced advice for CISOs.

You talk to a lot of C-level executives. What are a few common themes that come up as concerns -- across industries, enterprise size, etc.? What are some common pain points? 

Continually increasing complexity of threats, shortage of staff, and lack of visbility are challenges that I see across all industries and public sector agencies of all sizes. I’ve not met a CISO that could confidently say that their team had 100% visibility across the network – let alone the state of those connected devices. Lack of visibility into network connections and anomalous behavior is critical – after all, you can’t protect what you can’t detect.

Compounding these challenges is the need to deliver innovation and services faster and a public that expects great levels of security and privacy. Everything is more complex and accelerating – computing, networking, security, compliance, along with all elements of the digital enterprise. 

Are there any disconnects between CISOs and other business leaders within their organization that may be surprising to the security organization?

One surprising disconnect between CISOs and the business leadership is the lack of adoption of the reasonable care standard for security and resiliency. Widely cited in best practices and regulatory frameworks, the reasonable care standard requires organizations to implement technologies and processes to identify and manage risk. While every CISO I’ve met agreed it was the right approach, few have said their boards had adopted reasonable care as their measure of security.  

What does the future of security look like? 

Security will be more integrated with networking and computing – all of which will be more distributed and accelerated with 5G and the mass implementation of smart solutions. The third generation of security will see it being designed into solutions from the outset rather than a bolted-on afterthought.

New 5G-enabled, edge-based computing from industrial applications to smart cities will generate more data than ever before – shifting the majority of computing to the edge, with the cloud progressively being used for correlation and storage.

Security will also be more automated, leveraging AI and ML to analyze vast volumes of data for anomalous behavior in everything from autonomous cars and industrial processes to privileged access users.

How does a security fabric approach protect customers in the future of security?

Having run one of the largest MSSPs in the industry and led one of the foremost threat research teams, I would say that just about every breach in the last 20 years was a result of gaps in visbility, awareness, and control. If you can’t see what’s on your network – you can’t protect it. If you can see what’s connected but have no contextual awareness about what’s happening – you can’t protect it. And if you can detect and understand what’s happening but don’t have an integrated and automated way to respond – you still can’t protect it.

The Fortinet Security Fabric’s broad, integrated, and automated approach provides the visibility and control that’s needed as security becomes even more challenging. With end-to-end visibility and a framework of integrated devices collecting and sharing data to detect threats, combined with FortiGuard AI-enabled intelligence, the fabric automates the detection and mitigation of threats at speed and scale.

How does that intertwine with dynamic cloud security zero-trust network access?

Amongst the recommendations made in light of increasingly aggressive cyber threats, there has been a specific call for the adoption of Zero Trust across the US Government. Zero Trust posits that traffic inside the perimeter should be trusted no more than outside traffic.

A lot has changed since the original inception of Zero Trust in 2009, including the disappearance of perimeters. Going forward, trust assessment needs to move beyond a simple binary yes-no model to be more adaptive and risk-based by:

  • Identifying every request for network access
  • Authenticating the requestor
  • Confirming the state of the device on which the request is made
  • Validating the access request based on a least privileged, need-to-know basis
  • Continuously logging and monitoring all activity for anomalous behavior

The Fortinet Fabric and its partner ecosystem provides enterprises with a broad, integrated and automated way to control access and continuously monitor behavior from the IoT edge, across enterprise networks, and across the largest cloud providers.

Is there specific advice that you find yourself sharing most often in your discussions with other CISOs and CSOs?

Across all the threat research of the past 20 years, and conversations with security professionals from global enterprises and the intelligence community, it’s clear that we’re still not getting the fundamentals right. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. Rather, threat actors at all levels of sophistication exploit known vulnerabilities for which patches are available. In some cases, these patches have been available for over a year. Indeed, most attacks leading to data breaches could have been mitigated via simple to intermediate controls.

Because so many attacks begin via phishing and exploit known vulnerabilities, getting the basics of security hygiene and resiliency done pays huge dividends.

In my experience, the following steps can help organizations:

  • Adopt and implement the Center for Internet Security Critical Security Controls
  • Implement continuous security awareness campaigns
  • NGFWs are a great compensating control because patching is not easy
  • A rigorous and autonomous approach to web application vulnerability management
  • Employ multi-factor authentication (especially for critical systems/processes)
  • Back-up data based on criticality and SLA associated the process

Learn more about the challenges CISOs face in the modern era.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.