​We tend to talk about security wrong: Trend Micro VP

With security touted as being everybody's responsibility, Trend Micro's Global VP of cloud security Mark Nunnikhoven believes security teams need to start acting in a manner complementary to that.
Written by Asha Barbaschow, Contributor

The security community has gained itself the title of being the team of "no": No clicking on links, no browsing particular websites, no installing certain software. Trend Micro Global VP of cloud security Mark Nunnikhoven told ZDNet this needs to change, because if security is everybody's responsibility, organisations need to act that way.

"While the board is way more cognisant of it, while CISOs might be better at working at the board level, fundamentally on the ground, we need people talking about security while they're building solutions, while they're rolling out technologies internally," Nunnikhoven said. "If it's everybody's responsibility, why have you isolated the experts in their own little team?"

Visiting Sydney from Canada to speak at the AWS Summit last week, Nunnikhoven explained that relying on a user not to click on a link is "absolutely absurd".

"We tend to tell people not to click on links, which I think is ironic because a link has one purpose in life -- to be clicked on -- yet as security people, we tell users not to click on a link," he said.

"That is a fundamental failure. If we don't want users to be clicking on malicious links, then what we should have is controls in place to filter out those malicious links, transparent to the user."

As phishing emails are getting so well crafted, Nunnikhoven said it is extremely difficult for people who are paranoid to spot them, let alone casual users. Far more effective from a security perspective, he explained, is to put in gateway filtering on the network or controls that are transparent to the user so if they do click on a bad link, all they see is the gateway control.

"That is a far better security interaction, because the onus is no longer on the user, it's on the technology. And that's what we need to build, is far better security tools and deploy them out," he said. "That's a much more pleasant security conversation."

Nunnikhoven took a long and circuitous route before landing at Trend Micro. A forensic scientist by training, prior to his six years at the security vendor, Nunnikhoven spent 10 years with the Canadian government in a variety of security positions after working for IBM and Noretel.

With 16 years of experience in the security game, Nunnikhoven said the industry tends to talk about security wrong.

"We tend to talk about security as a way to keep bad guys out, and while that is technically correct, I think a far more productive way to think of security is that the technical security controls of things like firewall, IPS, anti-malware, all that kind of stuff, the goal of that is to ensure that whatever you've built is doing what you want and only what you want," he said.

"So that's the flipside of -- the inverse of -- keeping bad guys out.

"The reason why I like to look at it from that way of making sure it is doing what you intended and only that is because now you're not just talking about bad guys coming in and attacking, you're also making sure that you're catching configuration errors, mistakes, performance issues, you're catching a whole host of other things."

Instead, Nunnikhoven believes security plays a better role when it isn't an isolated notion of keeping the bad guys out.

"It's part of a bigger pie, it's part of operations in general, it's part of delivering business value, and if all you're thinking about is keeping cybercriminals away from your data, you're selling yourself short and you're selling your security program short," he explained.

"The reality is that no security product is perfect. You need a multitude of controls."

Likening security to a game of football, Nunnikhoven said organisations need multiple defenders working in concert, because at some point, someone's going to get through and score.

"You need to be able to recover from that," he said.

"That's how most organisations approach security -- they're all about prevention, all about stopping it, as opposed to understanding that's a majority of what you need to be doing, but you also need to plan for resiliency and recovery.

"That's the holistic viewpoint, and I think if all you worry about is keeping bad guys out, you're doing your organisation a disservice and you'll actually have a much weaker security posture."

Editorial standards