“… humans have never been very good at predicting the future. AI had been “just around the corner” as early as the 70s and 80s. And then again, nobody could have foreseen the colossal changes we’ve all recently witnessed with the rise of generative AI.” 

Stefan Dydak is Head of Security Consulting at Adnovum. His passion for Cybersecurity started during his studies in Forensic Sciences, after which he spent the better part of a decade in data forensics, international cybercrime and cyberfraud investigations at Kudelski Security and Zurich Insurance. Bearing witness to the rising complexity of modern IT infrastructures and the implication this had for security, he spent the subsequent years working as a security consultant for HP helping enterprise customers navigate this modern threat landscape, mitigate risks and shape future-proof security strategies. 

We think you will enjoy our interview with Stefan in which he discusses the most common misconceptions about cloud security, what strategies he would recommend for securing hybrid cloud environments against sophisticated threats, how organizations can align their cybersecurity strategies with their overall business objectives as well as ways AI can be a game-changer in incident detection and response? 

What strategies would you recommend for securing hybrid cloud environments against sophisticated threats? 

My recommendation would be: Make sure to properly leverage the power of APIs. As an example, take two basic cybersecurity building blocks: Asset Management and Hardening.  These two areas, despite the advances in technology, never fail to be mismanaged by all but the most mature organisations.   

The cloud has made it considerably simpler to ensure adequate asset management (know what you have) and hardening (least functionality). With the power of APIs like those provided by all major cloud vendors, organisations can now easily deploy servers, firewalls, load balancers, and many other appliances. Importantly, they can also configure and control the maintenance of their environments, not via tedious software agents deployed everywhere, but via APIs.  

The key here is that once the scripts have been written, and the proper authentication and authorisation, confidentiality and integrity controls are in place, managing your assets and their secure configuration is potentially orders of magnitude easier than in an on-premises environment. This is also true for detection and response activities as API logging services will provide information-rich audit logs. 

Of course, new technologies such as CNAPP promise to maintain your cloud security posture for you and when properly configured they can provide great benefits. But oftentimes it’s not a piece of shiny technology that you need but just a better understanding of the options available to you. 

In your experience, what are the most common misconceptions about cloud security? 

This is a fun one, because the answer to the question usually lies at the two opposite ends of the spectrum. “Cloud is inherently unsafe” and “cloud service providers have hundreds of Cybersecurity professionals working for them, they’re much better than you can be”. 

As always of course, there is truth in both these sayings. Yes, blindly trusting that your cloud provider will provide 360-degree security will inevitably fail. Interestingly, many organsiations still don’t understand the “shared responsibility model”. Anyway, it means that you still need to invest in cloud security yourself through time, resources, people, processes and technology. 

And on the other hand, completely dismissing the cloud doesn’t make sense either. As explored above, when leveraged correctly, cloud utilities can bear great security benefits. 

Of course, there is one elephant in the room here. The internet used to be a place of decentralisation. Now it’s being centralised again, mostly by the major cloud service providers. This provides ample opportunity for philosophical debates about the future of the internet, but for the topic at hand it also means: You may want to look twice before putting all your eggs in one basket (or three baskets), especially when those baskets are so enticing to the cybercrime world.  

In what ways can AI be a game-changer in incident detection and response? 

While this is an interesting topic, humans have never been very good at predicting the future. AI had been “just around the corner” as early as the ‘70s and ‘80s. And then again, nobody could have foreseen the colossal changes we’ve all recently witnessed with the rise of generative AI. 

A fellow cybersecurity specialist is convinced that SOCs won’t employ humans anymore in ten to 20 years. While I am not convinced that humans will ever be out of the loop here (until we’ve truly built an artificial general intelligence) there is no doubt that with today’s advances, the analysis of log data, especially if it’s not full of garbage in the first place (garbage in -> garbage out), has become much more effective. From sorting through data, to detecting problems and effectively correlating data from several sources, modern generative AI provides a fantastic lever to reduce false positives and focus on what’s important. So yes, I believe it is already changing the field, but we have yet to really measure the actual benefits before we can make more precise predictions.  

How can organizations align their cybersecurity strategies with their overall business objectives? 

This is a good question. It also shows that the modern CISOs talents lie not with technology, but with the power of communication. 

I’ve learnt this from a CISO myself and can only repeat it here: The best way to approach this question is to address your business leaders like a good salesperson would: By truly trying to understand what drives them. What keeps the CEO awake at night? What are their biggest priorities? 

Finding a way to position a cybersecurity programme in line with the ambitions of top management is not as impossible as it may sound. “Availability” for instance, is a great example. Your core business processes need IT availability to function. How do we ensure that? This question is the beginning of a great conversation. 

Some people want to talk numbers but, in my experience, this is mostly painful and often ends in disappointment. Talking to someone about annualised loss expectancy when they are used to hearing about return on investment is a tedious affair.  

What are the key components of a resilient enterprise cybersecurity strategy in the face of evolving threats?   

I think one of the key aspects of modern cybersecurity is the supply chain. Modern organisations have complex infrastructures with hundreds, if not thousands of providers. I’m not only talking about cloud or software providers, but all kinds of providers, down to those that send people to fix your printers. Serious risks can hide anywhere and we all know this, the Solarwinds attacks and the Xplain affair brought this to the forefront.  

And yet, I still regularly find that contractual agreements with certain providers contain little to no security requirements. It’s baffling but true. If the vendor is not considered critical, security is just not there. And often companies, especially smaller ones, assume that their IT provider will do the “right things by default”, such as patching their servers. But cybersecurity costs money, and if it’s not contractually anchored, it won’t happen. In bigger companies, the relationship between the CISO office and the procurement team can also sometimes be dysfunctional, or at least imperfect, leading to similar problems. 

So again, the problem isn’t necessarily on the technical side (is the software I’m buying securely coded?), although it can most certainly be, the problem may start with something as mundane (to a cybersecurity professional) as a contractual agreement.