Budgets Used To Comply, Not Secure? How Cloud Is Changing Cyber

Dan Gunderman

“Task Force 7 Radio” host George Rettas was joined by e-Share CEO Nick Stamos on his Feb. 26 program, which found the security experts discussing advances in cloud computing, regulatory environments and the overarching cyber “bubble.”

Stamos’ e-Share was formerly called nCrypted Cloud, which began as a solution to protect files in cloud storage providers. It has since expanded its services, building enterprise-class external file-sharing capabilities on top of supported cloud providers.

Stamos caught up with Rettas, a fellow information security executive, to discuss crucial trends in the cyber security space.

Efficacy & Responsibility

On the issue of security versus compliance, Stamos said, “Security is looking at the efficacy of what you’re doing. Compliance is meeting a regulatory requirement in terms of what’s there. Compliance is really about meeting those regulatory requirements to avoid fines, but it doesn’t mean its efficacy is going to be what you want at the end of the day. That’s the big challenge and a problem we have today.”

“From my point of view, security would be much more important,” Stamos said. “As a CEO of a company in the compliance and regulatory space, unfortunately budgets are there for compliance, they’re not there for security.”

On whether solutions are keeping up with the evolving threats, including malware, Stamos said, “I think it’s (about) strategy – and the approach is getting more and more untenable. The concept of having an operating system never compromised, or a machine or network that can’t be compromised, is not a valid strategy… The bad guys only need to get it right once, the good guys need to get it right all the time. The chances of getting it right all the time are lower and lower, as systems get much more complex, much larger and much more difficult to manage.”

The e-Share CEO said that even sophisticated solutions might not be able to keep up. He advocated for “rolling things back to the basics.” He said that the cloud is an opportunity to do that, as it is coming on strong in the enterprise and provides a way to step back and rethink strategy.

See Related: Is Cloud-Only The Future Of Digital Transformation?

Exfiltrate Only?

Stamos also said that companies should remind themselves that the point of a “compromise” is to exfiltrate data. It’s not so much a path of destruction, he said. Even with “bad guys” in the network, until data is exfiltrated, it doesn’t really matter that much.

“Malware, to be more sophisticated and less detected, has to be more efficient, stable, and low resource utilization; (it must use) very little bandwidth, and the trigger points that made it easy to identify it as malware have to behave much better as software running on your infrastructure to evade detection,” Stamos added. “That means they’re coming less and less from a disaster recovery point of view. They’re not there to disrupt what you’re doing, they’re there to steal data…”

Stamos suggested organizations ask how users and servers send information outside the enterprise and secure exit points. He advised enterprise security teams to question whether these points are “simply secure pipes” or if the data is secured all the way to the recipient – while still maintaining visibility and control.

Rush To Cloud

Asked whether emerging technologies are built with security in mind, the “Task Force 7 Radio” guest said, “Yes and no. Some of the new solutions are doing a pretty good job at meeting compliance issues, they have good auditing capabilities and utilize good identity and access policies which are integrated well inside the enterprise.”

He said a substantial challenge today is the sudden “rush” to get into the cloud while not necessarily doing enough homework on its long-term impact. Stamos said cloud must be embraced “appropriately.” He suggested that there is a “big gap” in end-user education. He said the users are getting information from vendors, and analysts are no longer educating them because they cannot keep up with the meteoric speed of the space. Stamos said if that’s the case, “IT folks need to take responsibility for themselves and fulfill it.”

Cloud Computing TF7 Radio

At the end of the day, it appears smaller companies may even be in a better position to migrate to the cloud and make uniform policy across the organization. The process could be more efficient than Fortune 100 companies who must deal with legacy components.

Stamos continued, saying, “As long as you know how to put the Lego pieces together, and there’s a requirement of knowledge, (you’re) at a huge advantage. You don’t really have the same concerns and issues as the large, Fortune 100 companies, which are worried about hundreds of thousands of desktops and old versions of software.”

The e-Share CEO also suggested that the cyber security space is in a precarious position, or a bubble, because of the market ecosystem dating back about a decade. That environment, he said, has caused larger security companies not to pursue startups because of their overwhelming sale demands. He said it’s the case because of a few cyber security “unicorns” that pulled in impressive returns in IPOs.

Still, Stamos said, the cyber security spend will continue to increase. He pointed to a trend in the last 18 months or so where large, Fortune 100 companies have embraced cloud technology and solutions. He said, unfortunately, some did so without “the best of planning.”

Defending the technology, though, Stamos said that cloud has significant advantages if leveraged correctly. He said it could help enterprises eliminate the former “eggshell infrastructure” (hard exterior, soft interior).

See Related: Beware Of 'Assumption-Based' Cyber Security: Q&A With Verodin's Brian Contos

Bye, Bad Habits

Will cloud solve the sins of the past, though? Stamos said it will help companies eliminate “bad habits,” but only if leveraged appropriately. Because of the off-premises nature of the cloud, some inherent security issues are alleviated because you “can’t touch it, or can’t physically connect to it directly.”

“If you’re smart about it, and understand what you’re doing going forward, it will enforce practices upon you that are much better off than legacy development,” Stamos said.

To help expedite the efficiency of cloud computing, Stamos called for additional education. “There’s a massive knowledge gap out there,” he said. “(Board members) are not asking the right questions. They’re asking questions about running in an on-prem environment. They’re headed to the cloud, but headed to it with the mindset of how things work today, instead of starting with a clean slate.”

In the closing minutes of the show, Stamos pointed to the evolving responsibilities of today’s CISO. The e-Share CEO advocated a “built-to-change” mentality that will help the enterprise move swiftly to more efficient protocols as time goes by.

“The minute you’re building one house, think about how you’re going to move to the next one,” he advised.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Find Stamos on LinkedIn, here.

Task Force 7 Radio

Be Sure To Check Out: U.S. Needs GDPR-Like Privacy Laws: Cyber Expert