TECH TALK
Why tech has failed
on cybersecurity
Current attempts to manage today’s ever-
evolving threat landscape are failing,
and not through lack of innovate product
development. VMware’s CEO, Pat Gelsinger,
believes the answer may lie in flipping the
existing security model on its head.
I
t’s time to acknowledge that
the tech industry has failed our
customers when it comes to
cybersecurity and data protection.
Our industry is built on trust. Trust that our
software and hardware products work.
Trust in the confidentiality of customer
data, and trust in our ability to safeguard
the integrity and availability of mission-
critical systems. We earn that trust every
day, by protecting our customers’ critical
applications and sensitive data in an
increasingly mobile and cloud world.
The challenge is only intensifying, as
application architectures evolve rapidly
and as the apps themselves become a
primary target for cybercriminals.
Albert Einstein said, “The definition of
insanity is doing the same thing over
and over again, but expecting different
www.intelligentcio.com
results.” Unfortunately, that’s a good
summary of our current approach to
cybersecurity. Until we re-engineer our
fundamental security model, we will be
unable to dig ourselves out of this hole.
Transforming cybersecurity: from
chasing bad to ensuring good
The problem is not a lack of innovative
products. In fact, there’s tremendous
innovation happening in cybersecurity
today. The problem lies in our
foundational approach, which is rooted
in ‘chasing bad’. It’s a never-ending
arms race, and we always seem to be
rushing to catch up. When you’re chasing
bad, you’re constantly looking for the
proverbial needle in a haystack, across
a very large attack surface. But what if
we took the opposite approach? What
if, instead of chasing bad, we flipped the
entire model on its head and focused our
efforts on ‘ensuring good’? When you
focus on ensuring good, in effect you
remove all the unnecessary hay, because
you narrow down the exploitable attack
surface exponentially. How?
At the heart of ensuring good is a revival
of the age-old cybersecurity concept of
‘least privilege’, where users and system
components are given the absolute
minimum level of access, function, and
interaction required. In other words,
unless you explicitly have access, you
don’t. The big difference today – and
the big breakthrough – is that we now
have the ability to enforce least privilege
at scale, without slowing down the pace
of innovation or the businesses we serve.
Ensuring good goes far beyond the
rigid ‘lockdown’ methodology of
INTELLIGENTCIO
71