Security can no longer be 'The department of "No"', says Thomas Fischer

Understanding is key to building better infrastructure

To defend against new types of cyberattack, we need to take a fresh look at some old ideas, says Thomas Fischer, global security advocate at Digital Guardian.

"When I started, back in the late ‘90s and early 2000s, one of the ways that we talked about [defending the network] was separating the key infrastructure," he tells us when we meet near Covent Garden. "You would actually segregate your environment so you'd have lightbulbs on a completely separate system, a completely separate infrastructure, from your corporate environments."

We are talking about the dangers posed by the internet of things - specifically, the way that hackers can now access a network through an IoT device like a lightbulb, toaster or - in the case of the Target breach - an HVAC. Once the IoT on a corporate network has been breached, attackers can move laterally through the infrastructure to reach their objective. Botnets like Mirai have operated in the same way.

Earlier this year, we talked to the CEO of Forescout, Mike DeCesare, about the same issue. His company provides an ‘agent-less' approach to IoT security, protecting the network rather than the devices. Isn't that a simpler way to go about defending against these attacks, we asked Fischer?

"Yes, it's a lot harder to do today," he said. "Most companies want to share their information - but you've got to ask, why are you putting lightbulbs on your corporate network?"

Understanding these decisions are key to building a profitable relationship between security and business, he continued - as well as a more robust infrastructure.

"I think we [security professionals] are missing out on that reasoning. Security has traditionally always been the department that says ‘No', versus the business that wants to do something. ‘We need these IoT lightbulbs because they'll reduce our costs, because we'll be able to detect when people are actually in the office'. There are so many business reasons you can use to justify deployment.

"If you have a good security team in place, and they're actually asking the questions like, ‘What is the business problem that the executives are trying to solve?', you build better, more secure infrastructure because you can actually work together. You understand the drives and directions, and you can actually look at building proper security into the model."