Posted on Reading Time: 3 minuteson
As the pace of software innovation continues to “eat the world,” it can feel like cyber threats are driving our economies and societies at least one step back for every two steps we take forward. Halfway through 2021, the overall track record of government and industry at protecting themselves, their employees, and citizens against cyber attacks is, to put it mildly, pretty poor.
We can welcome the G7’s call for action against ransomware in its most recent communiqué. But we should also wonder aloud why it’s taken so long to trigger this as a priority, what reductions in ransomware-attack impacts we can expect and when, and how those targets will be met. And we should look for other ways to improve the cybersecurity ecosystem to make it easier to reduce risk.
The conventional approach of cybersecurity vendors to problem-solving is partly helpful, partly not-so-helpful. On the upside, vendors recognize that businesses have to continue exploiting the opportunities of digital transformation at least as fast as competitors (preferably faster). Also on the upside, vendors are investing in new market spaces like Secure Access Services Edge (SASE) products and services that can incorporate a Zero Trust framework to help organizations reduce cyber risk.
The not-so-helpful aspect of the modus operandi of security vendors is the spotty, supporting role played by standards. Where the telecom industry takes to standards rather like ducks to water, much of the cybersecurity vendor community has tended to take to standards rather more like cats to water. Telcos are the dominant buyers of telecom hardware and software. Interoperability is also critical to their business. In cybersecurity, the buyer market is far more fragmented. Individual businesses buy and build a lot more of their own security solutions. As a group, managed security service providers (MSSPs) have nothing like the buying power of telcos, not even in relative terms. In the cybersecurity world, integrations (proprietary or open) and open APIs offer vendors a valid way of marginalizing industry-agreed standards that aren’t readily available in the telco world.
The result? Enterprise security operations are characterized by an accumulation of dozens of different, overlapping, vendor products. Some of these don’t even talk to each other at all. Some only talk to each other through complex integrations. One of the biggest pain points for enterprise chief information security officers (CISOs) is that their environments are far too complex.
So, while cybersecurity vendors all support the high-level principles that underpin SASE and Zero Trust, beyond that common baseline advocacy, the competitive gloves are well and truly off. Reflecting different starting points in their portfolios, many vendors are talking straight past one another on both SASE and Zero Trust. They’re generating very different messages regarding what’s a “must-have” and what’s a “nice to have”—whether SASE is a product or a service; whether it must be an all-cloud delivered service or whether on-premises components are necessary (or inevitable). They’re arguing about what Zero Trust is and what it isn’t. What exactly is the difference between a software-defined perimeter (SDP) and a zero trust network access (ZTNA) product nowadays anyway?
Hence, as well as talking past each other, many security vendors are also talking straight past a lot of enterprise buyers, many of whom face a lot of complexity in adapting their environments to benefit from these solutions. This obfuscation of the human interface—let alone the technical ones—between cybersecurity buyer and seller is a longstanding problem. Left unaddressed, these issues will result in scenarios where more sub-optimal decisions and vendor selections are made.
It’s against this background that I recently spoke with Ralph Santitoro, Board Director, MEF, about the direction in which the organization is heading in the cybersecurity space. Ralph shared MEF’s ambitions to extend its background in Optical Transport, Carrier Ethernet, IP and SD-WAN services into standards development for application flow security, SASE, and Zero Trust.
The goal is that a buyer of a MEF-certified SASE service will be able to know with certainty—not to mention simplicity—what the baseline properties and features of that SASE service are. And, also, that SASE services will have a ready-made, MEF-certified Zero Trust framework to plug into.
Take a look at our video conversation. As well as explaining MEF’s rationale for driving cybersecurity standardization in services, Ralph also had answers for how MEF is accessing the cybersecurity expertise to get this done.
Learn more about MEF’s work in SASE and Zero Trust.Tags: zero trust