Grant Shirk, Vice President of Marketing at Vera, talked about directly protecting data—wherever it resides and travels—and the importance of building trust into applications and services.
At the outset of his thought leadership presentation at the 2017 Chief Information Security Officer Thought Leadership Forum held on April 5 in Atlanta, Shirk noted, “A lot of the investments we’ve made over the past five to ten years and a lot of the established technology we’ve built were designed to solve a different challenge than the one we’re struggling with today. It used to be more difficult than it is today to take information out of the enterprise. The other challenge is, we always feel like we’re trying to catch up. We’re trying to bolt security onto email or onto mobile devices that people are bringing into the enterprise,” he observed.
“A lot of the investments we’ve made over the past five to ten years and a lot of the established technology we’ve built were designed to solve a different challenge than the one we’re struggling with today.”
“We’ve focused probably 80% of our time, systems, and budget on addressing confidentiality of information. This brings us to my topic of making security more data-centric. It’s about protecting that data much more directly—no matter where the information lives or how it’s being shared. Going forward, there’s a big shift in what we need to be looking at. The focus of attacks and the threats to our organizations are on the availability and integrity of the data.”
Shirk continued, “The Swift attack out of Bangalore was a billion-dollar heist. It was one of the first, high-profile ghostware attacks. Not only did the hackers enter the system and manipulate data, the software they built erased their tracks on their way out the door. This makes the attack much more difficult to diagnose after the fact, so it’s increasingly important to protect that information however you can. Gartner estimates there will be 20 billion connected devices by 2020, which translates to many more ports of infection to defend against. More than that, it’s a lot of different variables to try to protect. We need to determine which endpoints we can trust.”
“Gartner estimates there will be 20 billion connected devices by 2020, which translates to many more ports of infection to defend against. More than that, it’s a lot of different variables to try to protect.”
Shirk noted that ransomware dominates the threat landscape and increased by 142% this year alone. “These attacks aren’t changing or destroying data; they’re holding it for ransom and impacting our ability to interact with information that’s driving our business. It’s an attack on the availability of information. However, some of the very complexity that’s coming into our businesses is the perfect cure for this—cloud services and cloud collaboration provide automatic backup of data,” he said.
“When the integrity and availability of our data are under threat, we have to shift the model. We need a better way, as a community, to establish, define, and update trust in the system,” he said. “When you’re in a world in which you can’t trust that access to information is the sole, defining characteristic of your right to have it, you have to look at the problem differently. Ownership or possession of data shouldn’t equal your right to access or manipulate it. Security can’t be a bolt-on. We have to find ways to build this idea of trust and security directly into applications and services.”
Shirk continued, “I see security becoming a user-experience problem, which is a big mental leap to make. In considering what would make a better trust model, we need something to proactively address the challenges around availability and integrity without sacrificing the primary confidentiality component, which means being more flexible and resilient. We have to assume information needs to be accessible, in multiple forms and in multiple locations. Also, we need to make encryption the de facto standard—the expectation of how information is stored rather than the exception. With encryption, the confidentiality properties of the data will travel with it.”
In conclusion, Shirk observed, “If you put together the idea that your accessed information is flexible and resilient, you’re operating under the assumption that you don’t trust where the information is stored but you trust how it’s accessed; you have a more dynamic model to assess the trust of a person or machine accessing that information; and you can better protect the integrity of that data.”
“If you put together the idea that your accessed information is flexible and resilient, you’re operating under the assumption that you don’t trust where the information is stored but you trust how it’s accessed and you have a more dynamic model to assess the trust of a person or machine accessing that information.”
ABOUT GRANT SHIRK:
Grant is Vice President of Marketing at Vera, where he’s focused on helping global businesses secure and share critical information with customers and partners. An expert in trusted collaboration, enterprise SaaS, and demand generation, Grant has helped brands like Fidelity Investments, UPS, USAA, and Viacom design and deliver elegant, intuitive, and useful solutions to their customers and employees. With over fifteen years of experience in marketing strategy, positioning, and product design, Grant has built highly efficient product and marketing teams at Box, Microsoft, and Tellme Networks, with a focus on unique positioning and rich, customer-driven storytelling. Grant received his B.A. in History from Stanford University.