There’s a lot of myths or “mythconceptions” around cybersecurity that can be harmful to you or your customers’ businesses. Knowing what’s real—and what isn’t—is an important component of an MSP’s cyber resilience and ultimate success, according to James Stanger, CompTIA’s chief technology evangelist during a session at ChannelCon 2022 in Chicago.
“When it comes to cybersecurity and emerging technologies, the IT world appears to be haunted by quite a few myths. This is to be expected, really,” Stanger said. “Technologies change so quickly. It is often useful to use ‘enabling narratives’ to keep moving forward and contextualize the constant change. But, sometimes, these narratives get in the way of progress, especially if they remain unexamined, and if everyone is using conflicting approaches. As a result, these enabling narratives can quickly become clichés, and the equivalent of educational ‘deep fakes.’”
In particular, there’s a lot of ‘mythconceptions’ around zero trust, Stanger said. He used a zombie movie analogy to explain: “What happens if your best friend turned into a zombie? That’s what zero trust is. You can’t trust your own network or applications,” he said. “What if there’s a problem, if I’m authenticated, I’m good to go, right? I might be for now but what if someone takes over one of my applications.”
And just like the movies, zombies (or cyber risk) can be fast, like “World War Z” or slow, like “Shaun of the Dead.”
Stanger listed six technologies that need to work together as zero trust essentials: data/log aggregation, security analytics, continuous diagnostic and mitigation, user entity and behavior analytics, security automation and orchestration, governance risk and compliance.
- Additionally, a checklist of zero trust features should include:
- Architecture of the future
- Demonstrate skills in at least six major areas
- Advanced authentication
- Continual monitoring
- Evaluation and contextualization
- Automated response
- AI-enabled intelligence
Meanwhile, it’s time to break the notion that premise-based applications and cloud-based applications are radically different. To quote Led Zeppelin, “the song remains the same,” said Stanger.
“No, it’s a different platform but behaves the same,” he said. “But the problem is too many workers think go in an say I know the cloud, Azure, AWS,” he said.
While there is some “lift and shift,” many of the same techniques apply to SaaS applications so it’s important to learn how applications talk, Stanger said.
Another myth, that security professionals have access to clear, measured, recognized education pathway.
“I don’t think people know what the next step is,” Stanger said. “IT pros know their stuff, their technology, but when it comes to education, they’re lost. They tend to be bootstrapped, trying to figure it out themselves, which can be very inefficient. The term ‘best practices’ is often used to describe vendor-neutral education. I suppose that’s fine. But I’m more interested in the ‘practices’ side of things – practical, real experience. Experiential learning is the most transformative thing we have available to us as human beings. That applies to learning tech, as well as working with people.”