Adapting to a changing cybersecurity landscape [Q&A]
The past few years have seen some major changes in the IT world. Accelerated by the pandemic we've seen a significant shift to the cloud and hybrid working models.
But this brings with it additional risks. We spoke to Matt Spitz, head of engineering at Vanta, to discuss the security challenges posed and how enterprises can adapt to cope with them.
BN: Third-party vendor risk continues to rise as a result of app sprawl. Can you tell us about this challenge?
MS: Organizations have become increasingly reliant on third-party vendors to get work done -- collaboration tools like G Suite and Slack are prime examples. And it makes sense given the productivity gains.
But this increased usage has also created stack bloat. Shockingly, most companies use over 100 SaaS vendors on average. This has created a number of challenges. First, the administrative work involved in standard processes like onboarding/offboarding employees and managing access has become unmanageable for IT teams. Second, sensitive company and customer information is dispersed across all these applications, making it difficult to secure.
The security implications have become all too real. Experts today estimate that 60 percent of data breaches happen via third parties vendors. Unfortunately, mitigating these risks is easier said than done. According to a report by IBM and the Ponemon Institute, it takes companies 277 on average days to discover and contain a data breach.
All of this aside, the bottom line is that every company is responsible for the security of the vendors it entrusts with sensitive information. Their customers don't care whether the company or a third-party vendor leaked its data. It's incumbent upon every vendor to establish trust with any entity they do business with. This has been Vanta's mission from Day One: to help companies establish and prove their security.
BN: Shadow IT is still very much alive and well in 2023. What can companies do today to mitigate risk?
MS: The problem today is that current processes to surface and mitigate shadow IT only go so far, and mostly manual. Even during boom times when budgets are healthy, it’s difficult to track down every application and determine risk. Imagine now when IT and security departments are looking to do more with less.
Many of these tools companies use today's business depend on landing with an individual credit card signup and PLG. Tools to inspect SSO, payments, and emails can reveal potential unauthorized vendor usage.
But that's not enough. Companies need to be proactive in managing shadow IT. And the only way to be proactive is to have full-stack visibility.
This is where Vanta comes in. We help companies discover and monitor any third-party applications and systems they use -- even unsanctioned ones. These run the gamut including cloud providers, identity providers, databases, CRM systems and more.
At a deeper level, we also track applications that our customers' employees are using via integrations with their SSO and IDP systems. Our customers can also manually upload a list of vendors and users if needed and connect Vanta to their procurement process to automate the compliance approval process during intake of new vendors. Our process is end to end.
BN: It's often hard to gauge your security posture with accuracy, and therefore hard to prove to your customers and partners that their data is safe with the entities they do business with. What can companies do to ensure a high level of transparency?
MS: For a long time, traditional security compliance certificates like SOC 2 were treated as a single point in time, audited by humans, and based on company-provided data. This was also back when security was siloed. Nearly everyone worked with a fragmented, brick-by-brick view.
But security today is a boardroom-level issue. Leadership understands that the cost of a security breach can be devastating for their business. In 2022, the average cost of a data breach reached a record high of $4.35 million, according to the same IBM report I mentioned earlier. Many experts estimate that could climb to $5 million in 2023.
Companies now recognize the inextricable connection between strengthening security and building revenue. They understand the need to prove to customers and partners they are secure and compliant -- and how crucial that is to building trust and deepening relationships.
Security needs to be monitored in real time, giving a more complete and up-to-date picture of security posture. It should be reported hourly, not annually. We help make that happen; for example, we provide companies with real-time reporting on their security status. This way they can proactively demonstrate their security at any time to customers -- with maximum transparency.
BN: Is this increased business/boardroom-level awareness recent?
MS: Yes, it is relatively new. The cost and frequency of breaches shot up dramatically over the last 10 years. We have Yahoo!, Facebook/Cambridge analytics, Solarwinds, Equifax, I can go on. This has forced companies to invest in security earlier. Often, they are driven by the need to get their first compliance certificate in order to pass a new customer’s security review of vendors.
BN: How do you see the threat landscape shifting in the coming years, especially given economic conditions? And how are new emerging technologies, like ChatGPT and Large Language Models, changing the way companies think about security?
MS: Companies will continue to adopt best-in-breed tools, which means their attack surface will only continue to get larger and more complex. We also expect companies will strive to create greater efficiencies, which means they will have fewer resources to manage the growth in the application stack.
On the topic of AI, the rise of large language models (LLMs) is a paradigm shift in how we think about data security and privacy. The fact is the use of LLMs further increases the surface area a security team needs to protect. These models will undoubtedly be weaponized by bad actors. And the business cost of this new breed of threat could make breaches like Solarwinds and Equifax look like a walk in the park.
But it’s not all doom and gloom. Companies are moving fast to enact policies and controls for such things as mitigating the risk of employees unintentionally leaking company and customer data on ChatGPT and other public-facing generative AI applications.
Also, LLMs create a unique opportunity for security teams because they can quickly, easily search and summarize large swaths of security data. At Vanta, we're currently exploring how we can apply LLMs to help companies make sense of their security posture more quickly. That will be a valuable step forward, given the explosion of complexity at most companies today.
We're heading into several years of momentous change in cybersecurity -- and generative AI will certainly play a role. I'm convinced of that.