Red Hat’s Lucy Kerner: ‘You have to look at security as a team sport’

29 Jul 2021

Image: © apinan/Stock.adobe.com

Red Hat’s Lucy Kerner spoke to Siliconrepublic.com about the latest security trends and the common mistakes companies are making.

Security has been a major tech topic for years, from the cybersecurity skills shortage to challenges around digital transformation.

However, it has been put under the spotlight more than ever over the past year and a half due in no small part to the Covid-19 pandemic. This sent workers around the world home, effectively decentralising much of the global workforce and putting several sectors under more technological pressure.

This perfect storm, along with the growing sophistication of cybercriminals, led to global ransomware attacks on major organisations including a US gas pipeline and Ireland’s Health Service Executive (HSE).

Lucy Kerner, director of security global strategy and evangelism at Red Hat, told Siliconrepublic.com that many of the recent breaches we’re hearing about on the news share a lot of common themes.

“Human error is one big one,” she said. “They’re things like compromised or weak passwords. That was the case of the Colonial Pipeline ransomware attack.”

‘There is no such silver bullet tool’
– LUCY KERNER

She also said social engineering attacks are very common, which was the case with the HSE incident.

Social engineering involves the psychological manipulation of people into performing actions, such as clicking on links by pretending to be a helpful chatbot trying to solve a technical issue.

“Another big one is misconfigurations, that’s another really common issue that leads to breaches,” said Kerner.

This was the case for Capital One in 2019, which suffered a data breach due to a misconfigured web application firewall.

Another really common issue is “unpatched systems of known older vulnerabilities,” which was the case for Equifax in 2017. That breach affected about 148m customers, with stolen data that included credit card information, certain dispute documents, social security numbers and addresses, among other information.

The investigation that followed traced the breach to problems in the company structure. A communication breakdown caused an issue between IT policy development and IT operations, leading to delayed patching of critical systems.

“These are not new problems that just happened, these have been issues for many, many years,” said Kerner. “One break in the supply chain can be completely catastrophic for the company.”

Security challenges

One of the biggest problems when it comes to security is ensuring that it gets addressed before an attack occurs, not after.

However, Kerner said that while regulated industries are often required to address security, companies outside of those industries can often let it fall down the priority list in favour of more profitable endeavours.

“Security is not a money-making event,” she said. “There’s always that trade-off between security and being agile. You can’t have 100pc of one without sacrificing the other.”

She also said the need to bring security out into the open, giving it a more company-wide approach, can be tough when it had previously been siloed in one section of the business. But now that developers have more power around security, it can no longer fall solely to the security team to be in charge.

“A lot of organisations don’t see that this responsibility is spread across the company, you can’t just force that on the security teams. So you have to look at security as a team sport.”

‘The tools you have in place now will be completely obsolete potentially’
– LUCY KERNER

Another major challenge companies face is around security tooling. They want to know which tool is the best one that will handle all of their security issues.

This might not only be to make their own lives easier or to streamline processes. Kerner said that for a lot of companies, it’s also about having a place to point the finger if something goes wrong.

Unfortunately, there is no one-stop shop when it comes to security. “There is no such silver bullet tool. However, the vendors out there, many times they will advertise it like that,” she said.

“Any vendor that tells you that they have that one tool is lying because it doesn’t exist.”

She said companies that want to address their security issues should take a good look at their security tooling.

“There’s a lot of emotion around tools because people will say ‘I spent my career learning this one tool, you’re not taking it away from me’.”

However, tools change all the time so it’s important that companies constantly review their arsenal to make sure the tools are still working for the business.

“In 18 months, the tools you have in place now will be completely obsolete potentially,” said Kerner.

She added that it’s important to have a framework in place so that whatever work is happening within the company, it should follow a set framework that is automated, consistent and secure.

Practical education

With the growth of phishing emails, scams and social engineering attacks, it’s more important than ever that all members of staff are educated about security practices.

In fact, Kerner said the educational approach is so important because it helps to tackle the security resource issue, which can often make companies feel like they need to throw bodies at the problem. “You’ll never have enough people, you’ll always be short staffed.”

She advised that companies look at the IT team they have and build a cyber-resilient team within.

She gave an example of Mastercard, which she said takes the creative approach of creating a specific security role inside application development and an application development role inside security team to allow education to flow from both sides.

This kind of approach would mean companies need to establish a general culture of cross collaboration, cross training and cross pollination. “That’s how you get security to be across the organisation.”

Simply sending out literature for staff to read or online modules for them to complete is not always enough to ensure they are engaged with learning about security.

Kerner said there are several more practical ways of getting buy-in across the organisation, from the technical departments to other areas such as HR or sales.

Some companies create formal education or training for everyone in the organisation as well as formal certification courses. Others reward staff for getting security training, for example with a ‘lunch and learn’ session, as well as having career paths and mentorship in place to increase security education, awareness and culture.

Kerner also spoke about a company that carried out a mock breach. “They do tabletop exercises as a company every quarter and do a complete mock breach,” she said. “They do everything as if an actual breach happened.”

Another company went offsite to an escape room-style event, which involved relevant security problems that the team had to solve.

Hiring the right people

Kerner’s final piece of advice centred around hiring the right people for security.

“When you’re hiring, you don’t just hire people who have security in their title. Security has fundamental skills that you can build into a security role. For example, if you are a really strong programmer, that means that you can do security too,” she said.

“Look for key, core skills that a security person will need and grow that person. Just because they don’t have security in their title, doesn’t mean you can’t make that person into a strong security person.”

Jenny Darmody is the deputy editor of Silicon Republic

editorial@siliconrepublic.com