Technology is only a small facet of security problems
Referencing back to the same map analogy as discussed in Yoran's keynote speech, Kok said that there is a need for us to recognise the current reality.
"We cannot be stuck in the mindset as that of 15 years ago. Instead, we need to learn to adapt and acknowledge that a lot of things that we have done so far is wrong or have failed," he said. "If cyber security had been successful, you wouldn't be reading about all the cybersecurity incidents on the news on a very regular basis. As such, we need to start looking for new ways of doing things."
For instance, with the advent of third platform technologies, we have to ensure that the 'map' we have now will work for this new terrain of technologies such as cloud, social, analytics and big data.
"What CIOs need to do is understand this new landscape and think about how they should extend their protection to keep the organisation safe without compromising security," said Kok.
Delving deeper in the idea of effective security, Kok said that it is critical to align people, process and technology.
"If you think about technology as a door, you can have the strongest door in the world with the best lock in place. But if someone leaves the key at the doormat, it defeats the purpose. Or if someone places the password blatantly on the door, then that's not going to work as well. This idea always start with the people and they are the most important out of these three elements," said Kok.
According to him, "people" encompass everyone within the organisation - from the higher-ups, down to the subordinates. People who own the business need to take accountability and recognise that there is an important issue so that they can put in the right investment and directive to address the security threat, said Kok. Security departments also have to "police" the rest of the organisation, and make an effort to educate them to raise their security awareness and fix their bad behaviours that could potentially compromise private and sensitive corporate data.
Once the strategies for "people" are in progress, organisations need to ensure that they have the right processes in place. Processes and procedures are used as the 'glue' regulating the way people and technologies interact with each other. Procedures are critical, yet are hard to define, maintain and enforce.
The last element, technology, is just a small part of this security issue, according to Kok. Technology is an enabler, but technology itself does not solve the problem, he added.
"The large part of why cybersecurity has failed is that we have this dependency on technology. For a long time, we viewed cybersecurity as a technology problem and often times, we seek to overcome this problem by using another technology," said Kok. "So people just go out and buy technology products thinking that it will solve all their problems, but they fail to realise that the products alone will do no good. They don't look for what else is missing. Bad guys are still coming in despite these investments, so there is a lack of visibility and you can't stop what you can't see."