Cody Pierce is the CEO and founder of Neon Cyber. He has 25 years of experience in cybersecurity and a passion for innovation.
The idea of the cybersecurity perimeter has been around since the dawn of the internet. At that time, most organizations had computers in an office and servers in a closet or data center. To secure those systems was straightforward. Block incoming internet traffic with a firewall or use a VPN, and that was enough.
But times have changed dramatically. As we have evolved through the dot-com boom, the mobile boom, the cloud and so on, we have continued to perpetuate the same perimeter defense ideas and tactics. But how many perimeters can you attempt to build before taking a step back and thinking about cyber defense holistically?
The fact is, cybersecurity has no perimeter, and it’s time we stopped pretending it does.
People, Data And Technology
Taking a holistic approach to cybersecurity requires us to rethink not only how we stay secure, but what we are securing.
To help reset our mindset, let’s focus on three key areas that support a new approach to your cybersecurity program: people, like employees, contractors and customers; data like intellectual property, customer information and internal communications; and the technology you adopt and rely on to operate effectively.
To put this simply, your goal as a security leader is to defend the intersection of people, data and technology. I like to imagine a graph where those three are the nodes, and the edges represent the connections between them. With that in mind, does a traditional perimeter make sense? Of course not.
People
Business leaders significantly overlook people when it comes to cybersecurity. We typically treat them as an afterthought and focus too heavily on the technology they use. For instance, we do a lot to secure the devices they use or the networks they connect to, but do little to understand and inform their adoption and operation of tools such as SaaS software.
However, employees have access to more private corporate information and are more vulnerable to attack than a device.
As a fundamental node in our imagined graph, we need to know who they are, where they are, what data they can access and what technologies they rely on. Understanding this gives us an accurate picture of their risk, and we can adopt security measures to defend them, regardless of whether they are in an office, working remotely, on the move or using a laptop.
This approach requires new tools and strategies that focus on the observability, governance and protection of your workforce, which is independent of everything else.
Data
Data is quickly becoming the most underappreciated facet of cybersecurity. Fortunately, that is changing with the rise of AI, where companies want all of their data available for AI models to leverage.
However, before we fully embrace AI, we must first understand how data flows through our organization. Do you have a central SharePoint system that everyone has access to? Do you send email attachments? Is data being uploaded to ChatGPT? If you can’t answer these questions quickly, you will lose any hope of governance.
The first step you need to take is observability. If you could not answer the previous questions, you have work to do. Identify the sources of data available to people in your organization and add access logging and auditing. If someone downloads a file or sends an attachment, you should have a record. If they upload data to a website, you should have a record. If you can comfortably investigate how a PDF went from SharePoint to a third-party vendor, you are making progress.
You can always build more defenses on top of observability, but you can rarely secure what you can’t see.
Technology
Technology encompasses the hardware, software and services that your business relies on to accomplish its objectives.
Most businesses have the most experience and solutions for this category. If you want to secure your devices and cloud, you have EDR; if you’re going to secure email, you have email gateways, and so on.
But technology is constantly evolving, and security teams must keep up. SaaS sprawl is prevalent, and AI vendors are everywhere, with little support for the security team to keep us safe.
The most significant distinction between the rapid pace of technology 10 years ago and today is the decentralization and increased availability. By the time a new AI model is available, users are creating accounts and uploading documents, while attackers are finding ways to leak data and exploit loopholes.
The Borderless Future
The perimeter is gone. It didn’t just fade; it fractured. Work is not bound to offices. Data doesn’t live inside silos. And people are everywhere, logging into SaaS apps from every browser, every device, every location.
Yet, most enterprise security strategies still focus on protecting infrastructure, rather than the people, data or technology. If we continue to think of perimeter defense in the modern era of remote work, SaaS and AI, we will fail.
But all is not lost. If you approach your cybersecurity program holistically and commit to securing the entire ecosystem, you will stay ahead in the exciting future of business.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
