GISEC 2022 Part 1 – Zero Trust, Identity and Small Chunks

 

The Impact on Digital Transformation in Healthcare

Recently I attended the first day of the Gulf Information Security Expo & Conference (GISEC) in Dubai and took particular interest in the topics discussed on the Healthcare Track.

Zero Trust was very much a common thread discussed by almost all presenters and the topic of Identity was highlighted as fundamental to this. There was also an elephant in the room which I will discuss in part 2. But first, here are some highlights including some facts and figures that I found interesting and which for me revealed a very strong theme.

Cybersecurity – key to Digital Transformation

His Excellency Dr Mohamed Al-Kuwaiti opened the conference and set the scene by reminding us that Digital Transformation relies on cybersecurity, and pointed out that the first question on the lips of many potential international partners is, “How secure is the UAE?” That’s a pretty fundamental point which we would all do well to remember.

Stephen Kavanagh, Executive Director of Police Services for INTERPOL, followed by highlighting the unprecedented rate of increase of the global security threat and cited an example whereby a recent record-breaking Distributed Denial of Service (DDOS) attack topped 3.47 Tb/s from 10,000 sources in 10 countries. He reminded us that attackers are no longer local, geographic boundaries are no longer a barrier, and old models based on those boundaries are no longer working.

Cloud adoption reduces risk

MK Palmore, former head of FBI San Francisco, now a Silicon Valley cybersecurity strategic advisor, told us that cyber incidents are now the #1 global business risk. He talked about the need for a shift in thinking in that too many people still associate cloud adoption with an increase in risk exposure, whereas due to hyperscalers' strong security credentials, cloud adoption should actually be seen as a risk reduction measure.

Zero Trust challenges – small chunks

Mr Palmore believes that CISOs want to make change, but identified a so-called digital transformation paralysis as a 2022 trend. Zero Trust, he stated, cannot be achieved with one single tool so CISOs get stuck on trying to solve what they perceive to be too large a challenge. He suggested rather than to do nothing, focus on limited, smaller-sized chunks.

Fady Younes, Cybersecurity Director MEA and EMEAR, Cisco, reinforced this point by highlighting there are over 3500 security vendors in the market, with most customers having 75 tools on average. Adding to the consensus that the perimeter-based security model is obsolete, Fady Younes advocated leading with Zero Trust (ZT) as a strategy and advised that 78% of organisations are moving to embrace ZT. Notably, only 14% of healthcare is enabling ZT.

Passwords and permissions – Identity management

A few statistics caught my attention: according to Gartner, 20-50% of help desk tickets are still for password-related issues. And according to LastPass, the average corporate has 150+ passwords in use.

Roy Kafity of Attivo Networks made some interesting observations, positing that during a move to the cloud, there can be an over-provisioning of permissions which can be abused by attackers. Defining Identity as the new battleground, he advocated that Identity must be a part of every enterprise’s security stack and organisations should strengthen their Identity and Access Management fundamentals.

He drilled down a little more into ZT, referencing CISA’s (Cybersecurity & Infrastructure Security Agency) Zero Trust Model, and highlighting that Identity is Pillar #1 in that model. He pointed out that good hygiene practices, and capabilities such as Multifactor Authentication and Single Sign-On should be considered as the basics.

Cybersecurity investment – Return on Investment

A panel discussion, “Staying ahead of the hacker” moved the focus onto healthcare. A very insightful discussion, the gist being that hackers have many advantages, but the money spent on trying to thwart these criminals is justified, given research findings that the cost of a significant breach can be 100 times the price of mitigating cybersecurity investments. Given that, it is becoming easier to justify costs. Increasing regulation, especially when tied to the licensing of an organisation, will improve the landscape. Sultan Owais, Digital Lead, Prime Minister’s Office for the UAE, gave a call to action that cybersecurity practice in healthcare has to be improved, but opined that it will likely only be done through closely monitored regulation.

A final panel discussion, “USD 6 trillion is the annual cost of cybercrime to the global economy” was full of great content from all of the panellists, including the astute observation that after a certain point, more security controls equate to less security, hence the importance of figuring out the sweet spot and thus the important things to focus on.

To conclude, this was an informative and educational day spent at GISEC, with a great set of speakers and panelists, my apologies to those of you whom I’ve failed to mention. My next blog will deal with the Elephant in the Room – Exactly how do you manage digital identity in a complex healthcare environment?

Part 2 here