Rob Rosiello joined Skybox Security in 2019 with a track record of developing high-performing sales teams and customer-focused culture, building on his more than 25 years of IT infrastructure and networking expertise. Today, he’s offering big-picture insights into how CISOs are managing the reopening of enterprises following the COVID-19 pandemic. Especially during a time of unprecedented cyberattacks on critical infrastructure and supply chains.
What is top of mind during your recent conversations with CISOs?
Rob Rosiello: CISOs are facing the most sophisticated threat landscape ever. There is certainly no shortage of worries that are top of mind in my recent conversations with security leaders. They know threat actors do not take vacations and are constantly planning the next cyberattack. Some common themes that I have heard involve “the new normal” in the midst of Covid and a focus on protecting critical infrastructure.
As it relates to the “new normal,” CISOs are focused on how to continue to tackle business continuity and remote access challenges caused by the pandemic, including the significant investment in VPN and endpoint security. Also, how best to scale environments with performance to support what has become our prolonged ‘new normal.’ In particular, customers have shared that the velocity of the remote access deployments inevitably had security compromises. As a result, choices had to be made to support moving business initiatives forward. The ongoing challenge is to continue to shut down those “compromises” and fortify their ability to address the ever-dynamic threat landscape.
Second, business leaders are becoming increasingly concerned about the preponderance of malware and ransomware attacks on critical infrastructure – something I think of as the latest flavor of nation-state warfare. For the past ten years, people have focused on financial, intellectual property, brand impact, and personal cybercrimes such as identity theft. However, recent ransomware attacks have aimed at fundamental infrastructure, targeting our food supply chains (meat giant JBS) and our largest fuel system (Colonial Pipeline). It’s clear now that emerging infrastructure technologies, application-centric security focus, and operational technology (OT) can be a major point of weakness.
Beyond just securing OT assets, is there any bigger picture solution?
RR: Given the scope of the problem, it’s critically important for every company to break down internal silos to address the entire threat landscape. At the most senior levels of companies, this needs to be a mandate that isn’t sponsored solely by the CISO. Because the damage has moved beyond reputational and is now impacting the ability to execute business, it must also be top of mind beyond the CEOs and CFOs, and extend to executives across all functions: supply chain, marketing, sales, etc.
I would tell a C-suite executive that silos within an organization – particularly within the tech stack functions – are vulnerabilities that we should assume threat actors are already looking to attack and exploit. These silos create pathways for sophisticated attacks, and we need to eradicate the operational challenges that come with a siloed approach to tech delivery.
Given recent events, CISOs tell us that this is now their opportunity to look more holistically across their environments. Part of that involves removing legacy elements that are creating security issues. For example, in some cases, customers think they’ve decommissioned old applications only to find these applications are still connecting to the network via remote outposts – unintended side doors for threat actors. The Oldsmar, Florida water treatment plant cyber attack is an example of this.
Because CISOs are looking at their networks more comprehensively, they also realize the complexity and scope of their weak spots. OT vulnerabilities alone represent an exponential challenge, adding 10, 15, or 20 times more assets to the attack surface equation. This can be a shock to the system for organizations that have under-invested in cybersecurity or maintained ‘don’t-ask-don’t tell’ OT cultures. Now, recent infrastructure attacks make this impossible to ignore.
The types of problems you’re talking about vary dramatically from company to company, though?
RR: Skybox Security is unique in that we meet our customers where they are along their journey. We don’t create a forcing function where customers have to consume our portfolio of solutions and services all at once. Our Security Posture Management portfolio has the best in breed elements in both policy and vulnerability management. For example, one of our customers started with security policy management and then easily added vulnerability threat management capabilities after a year. We can also begin with our VC essentials portfolio that helps customers obtain a foundational understanding of their vulnerability landscapes. Then, add other key capabilities such as firewall assurance or exposure analysis and advanced analytics when the time is right.
Customers aren’t just looking for usability. Security leaders want incremental wins along the way as they build towards a fuller solution. Skybox Security provides that tangible, incremental value throughout the implementation process, working together to identify initially critical areas so customers can begin tightening their security postures immediately. These things include important foundations to security posture management like configuration compliance, rule usage analysis, rule recertification, and network assurance.
We understand customers deal with incredibly complex environments in increasingly regulated environments. This is why we integrate with more than 150 technology partners to address the many nuances of a network and the environments our customers operate across – whether that means dealing with hybrid clouds, private clouds, public clouds, OT/IT, policy management, and/or vulnerability threat management. In addition, we work with some of the best and brightest channel and integration partners in the industry to deliver comprehensive solutions to the complex environments our customers are accountable for.
Given the complexity of environments and that large number of technology partners, how can CIOs practically manage infrastructure at that scale?
RR: Our customers are generally a part of the Global 2000. As a result, they have some of the most complex environments – many of them deal with 30 cybersecurity tools or more at any given time. In recent conversations, they’ve made clear that they’re not trying to cut cybersecurity costs but rather seek to achieve operational excellence and agility by reducing complexity. This comes in the form of tools consolidation but also in maximizing the talent in their organizations.
CISOs are strained for talent right now. One customer said their primary goal was to reduce their tools from 28 to 10, freeing their teams to do more proactive, thoughtful work instead of what I call keystroke work. They don’t want their talent to be keystroke operators of tools.
Nobody buys technology for technology’s sake. They buy technology so they can seize an opportunity or solve a problem. So, first, we help our customers analyze how each tool supports their business goals. Then, we streamline their systems while considering the implications from both threat landscape and posture management perspectives. I’m proud that the majority of our customers have been with us for multiple years. That’s because we are their partner that supports them throughout their journey, not a vendor simply selling technology.
How do you see the cybersecurity industry evolving over the next couple of years?
RR: If I had a crystal ball, I’d say security will shift from a detect-and-respond modality to a more proactive, front-end business process. I believe the industry will eventually evolve to predicting where the next attack will be and shut down threats before they occur. This is why digital risk protection, application security, integrating OT in the visible network environment, and breaking down silos will be fundamental to fortifying a customer’s security posture approach.
Beyond silos, we also need to think about how we tackle OT security. The Colonial Pipeline ransomware attack and other similar situations in recent months have demonstrated that we need to rethink how we think about our digital infrastructure. Services like Amazon are becoming modern critical infrastructure. Suppose somebody shut down Amazon for a day. While some people would be unhappy that they didn’t receive their packages, but more importantly, they may also become sick because they didn’t receive their medication.
This is where I believe the next phase of cyber warfare is taking place: the supply chains. When threat actors try to shut down food supply, agriculture, or energy again – targeting their trucking fleets or delivery infrastructure the result will be no food on the shelves because the meat can’t leave the plants. The B2B partner infrastructure is critical in a host of industries. These are areas that must be reinforced along with a company’s own infrastructure.
For the cybersecurity industry, the next two or three years must be about reinforcing supply chains and ecosystems, securing the linkages between customers and their suppliers, and reducing vulnerabilities in mission-critical business applications. These are the big challenges, and we’re ready to assist our customers in taking them on.