‘The old paradigm of the castle-and-moat approach to security is dead’

21 Aug 2020

Terence Jackson. Image: Thycotic

Thycotic’s Terence Jackson spoke to Siliconrepublic.com about changes in cybersecurity and why he believes identity is the new perimeter.

Thycotic provides cloud privileged access management solutions to businesses to help them better control and secure their data. The cybersecurity firm works with companies such as Honda, BAE Systems and BP.

Terence Jackson is the chief information security and privacy officer at Thycotic, with more than 17 years of IT and security experience in the public and private sectors. He spoke to Siliconrepublic.com about his role and what major trends he sees coming down the line for the cybersecurity industry.

‘This new normal will help to accelerate the already growing trend for transitioning over to cloud services’

Describe your role and your responsibilities in driving tech strategy.

My primary role involves protecting Thycotic’s information assets as well as managing the risk and information technology programmes without hampering productivity to enable us to achieve our business goals.

I am responsible for providing enterprise-wide leadership to establish and maintain comprehensive information security across the organisation, which involves keeping the business informed about the latest threats and regulations that might impact us. Another element of my remit is providing cyber innovation, data privacy, and managing organisational risks.

Achieving all of this requires policy creation, education, training, security incident response, risk assessment, incident prevention, detection and forensics.

Are you spearheading any major product or IT initiatives you can tell us about?

Thycotic is renowned for providing solutions that help to ensure clients have as robust an information security programme as possible. It is my job to make sure the same happens internally at Thycotic and I’m always looking at ways in which we can improve our own information security.

Last year, we basically rebuilt our internal network from the ground up to provide better confidentiality, availability and integrity of our enterprise. We did a fair amount of enhancement around endpoint detection and response, which has paid dividends during the pandemic. My current initiatives are focused on data privacy and third-party risk management.

How big is your team? Do you outsource where possible?

We have the capacity and resources to deal with all critical tasks internally. This includes focusing on actionable alerts, refining our detection capabilities and prompt response and remediation of events.

To ensure my teams are able to deal with this as a priority, anything that is not critical is outsourced. This means that our in-house team, whose expertise is second to none, do not have the pressure or distraction of dealing with lower-level tasks and can focus their skills and experience on more complex issues.

What are your thoughts on digital transformation and how are you addressing it?

Personally, I love digital transformation. The pandemic has forced companies to reevaluate where their workloads are located and develop strategies for migrating more of them over to the cloud. Remote working is here to stay as more organisations have discovered that their workforce can function just as efficiently and effectively, if not more so, away from the office.

I believe this new normal will help to accelerate the already growing trend for transitioning over to cloud services, meaning that companies will have to fundamentally shift the way they approach this transformation. Companies will, by necessity, now seek out vendors that can provide more than just a point solution but can instead offer a platform that can grow and adapt to the way they do business.

What big tech trends do you believe are changing the world and your industry specifically?

Without a doubt I would have to say identity. Identity is the new perimeter and the old paradigm of the castle-and-moat approach to security is dead. There has been an increased focus on endpoint protection as well, but we have to make sure that the person that is accessing the resources is authorised and has a legitimate reason to do so, all the while not introducing friction and road blocks for the user.

Key to this is access governance, which combines the traditional identity access management and privileged access management solutions into a more consolidated discipline. A convergence is happening and we must adapt to truly have any chance of staying secure.

‘Zero trust’, where organisations never take for granted the identity of a user and always verify them, is gaining momentum in the industry. However, it is important that automation is used where possible to verify identities to prevent authentication becoming a point of friction for the user.

In terms of security, what are your thoughts on how we can better protect data?

In order to better protect data, we must first discover it, classify it and make sure it is not kept longer than needed. Not only is this good security hygiene but it is also necessary for complying with data protection legislation such as the GDPR and the newly enforced CCPA.

Using a ‘least privilege’ approach, where users are only able to access those applications and data required for their job roles and nothing else, is vital for helping to keep sensitive assets safe.

Organisations must aim to enforce least privilege through implementing zero trust. A key component of this is governing approved access and rapidly responding when improper access is detected. Finally, regular access reviews should be performed to verify that those who have access still need it.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.