In an increasingly complex environment, hyperconnectivity and the boom of new kinds of threats are generating a cybersecurity paradigm shift.  Organizations are now facing ever more sophisticated cyberattacks that are able to get around traditional protection systems using Living-off-the-Land techniques. In this context, Jorge Oteo, CIO of Vocento and one of the top 25 cybersecurity influencers in Spain, provides some keys to help companies evolve towards a more preventive, proactive and efficient protection model.

 Could you tell us how cybersecurity has evolved over the years since you started your career, and what big changes it has undergone?_

Jorge Oteo: I started in this industry a long time ago. Back then, very few of us thought about security. In fact, the term “cyber” didn’t even exist here. It was marketing teams that came along later and started using the term.

Cybersecurity has evolved, above all because the paradigm of our platforms, our developers, our users, what we expose, and how connected we all are, has changed. And it could be the case that, while all of this has evolved very quickly, we’ve not spent enough time making it all secure.

What’s more, it is getting easier and easier to be attacked, and we’re increasingly exposed. But we’re not alone here. Fortunately, providers, taking advantage of this 21st Century goldmine, have got their acts together and have started to spend money on giving us solutions to different problems that stem from this paradigm shift.

jorge oteo cytomic

Jorge Oteo. Picture vía CIO from IDG

What do you think are the biggest cybersecurity challenges facing companies these days?_

From my point of view, there are three big challenges:

  1. Awareness: this goes for everyone in the ecosystem, and not just employees. It should cover users, collaborators, providers and so on. The more connected we are, and the more dependent we are on those connections, the more vulnerable we are to the outside world.

2. Resilience: the fact that we’re going to be attacked is inevitable. The risk that we run, however, will depend on our exposed assets. We have to deal with any attack in an organized fashion when one comes, and leave absolutely nothing to chance. This is why we need to be prepared. This includes tools and providers to help us out, and an appropriate security team to deal with the attack and, most importantly, to recover service as quickly as possible and with the least damage possible.

3. Hyperconnected world: technologies such as 5G and the growing hyperconnectivity are good for business, but they are also something of a boost for the bad guys. Therefore, what can be seen as a great opportunity for businesses has also become a risk.

What’s more, unlike years ago, it is starting to be the case that there is no perimeter to protect. It’s a bit of an overstatement to say that the perimeter is dead, but it is definitely getting blurred.

In relation to the previous questions, where do you think we’ll be heading in the future? What will the main cyberthreat trends be? And how should companies tackle them?_

I left my crystal ball at home, so I couldn’t say. I don’t like to make guesses about the future, and I’d rather work with the present. What I am sure of is that security is key in companies, and it isn’t always recognized as such (on a budgetary level, or in terms of proper profiles or how important it is in management). As such, and in my opinion, it is a constant struggle, where every year we need to increase our security, bearing in mind the fact that we’re never going to have total security. This forces us to be resilient.

Tools such as artificial intelligence and machine learning will help to provide us with better protection and to automate certain detainment and protection processes. But it will also be a problem, because these tools are also used by the bad guys. I want to highlight two things that are already here, and that will be both a solution and a problem: quantum computing, and security in new environments such as cryptocurrencies, e-gaming and so on.

What kinds of threats and cyberattacks do you consider to be most dangerous for large organizations, and what differences are there between these organizations and smaller ones?_

Each company is a totally different world. What is a problem for a medium sized company like mine won’t be for a company in another sector. The same formula doesn’t exist for all organizations. That said, what is common for all organizations is the need to know exactly where the risks are for our companies, and how to protect them effectively. In this sense, I would recommend drawing up an Operational Security Plan and constantly revising it. This way, the whole company (all its employees, to a greater or lesser degree) will be clear about where the threats are, what we’re doing, and what we will do to protect them. Ultimately, it’s everyone’s task.

In that sense, given how sophisticated the threats in the enterprise sector are, and how complex they can be, how should cybersecurity be dealt with in order to cover its more specific needs?_

It’s true that a company in the enterprise sector is more complex, and faces larger risks, when it comes to protecting against threats. But it also has more awareness about these threats (or at least it should), and of course it has more resources. I’ll refer you back to the previous point.

What does the adoption of zero trust cybersecurity policies entail?_

It’s a major shift in the way we approach the security model. Now we need to know where our clients’ data, devices and applications are, and ensure that they are all properly protected. Never trust, and always check. That’s the basic rule. Forrester said this a long time ago. However, we do need to take into account the fact that these things aren’t always under our control or even in our infrastructure.

Cyberattacks that use Living-off-the-Land techniques, and the use of fileless malware are on the rise, and are a huge challenge for more traditional cybersecurity measures. In your opinion, what kind of measures should companies implement to prevent and mitigate these attacks?_

Traditional cybersecurity measures are valid, but it is a mistake to think they’re enough. We can’t think that we need the newest, most innovative detection and protection systems, then forget about the most basic elements, leaving them to the cybersecurity intern.

This is why I recommend having an appropriate continuous improvement plan for the assets we’re protecting. Then with this, it is possible to progressively improve the security of these assets, making logical changes.

Why have threat hunting strategies become so relevant, and what differentiates them from other more traditional strategies?_

Because we need to stop being reactive. In most of our companies, security is still reactive, and we need to change that and shift to a proactive security stance. As such, it is a hugely important change, and one that is difficult compared to what we used to do years ago.

We need to design responses to new attacks that we don’t even known. We need to get ahead. This is why classic solutions are no longer enough.

Recently, a report revealed that the cyberattack Stuxnet, which managed to delay the Iranian nuclear program, was carried out with the help of a mole hired by foreign intelligence agencies, and used a flash-drive as an attack vector. How can organizations protect themselves against cyberattacks from inside via insiders?_

By praying; at times it is extremely hard to control those factors. Nevertheless, we must try to apply the same proactive awareness and prevention methods we’ve discussed here.

Finally, related to the previous question, how important is it for companies to have cybersecurity measures that reach the endpoint?_

Given that companies are now moving in a hybrid environment, it’s getting more complex. Security isn’t delegated in the companies that control our endpoints. In the end, we’re the ones who are responsible for end to end security. As such, and with the help of different providers, we must design our security with elements that are no longer on premise. Sounds fun, right?