As a CISO, it’s likely that you often hear about what you should be doing to protect your systems and data better: Buy this software. Deploy that system. Use this service. Hire these people, etc..
However, how often do you hear about what you should stop doing, which technologies you should turn off, or which projects you should cancel?
Recently I posted a query about this to a security expert community on LinkedIn, and also spoke with hundreds of CISOs during roundtable dinners as part of a research project with a large group of CISOs and other experts. The goal of the project is to redesign our operating model of security and challenge every aspect of how we manage our controls today to prepare for digital transformation.
The post asked participants to help build a list of things security executives need to stop doing. The query drew more than 200 comments, covering a range of cybersecurity areas — including firewalls and their place in the modern security program. One of the examples provided from the CISO group was to stop thinking the firewall is the most crucial security control or technology, or that it is even going to be relevant in the cloud-based future to come.
Challenging assertions about the need for long-standing industry technologies is a controversial topic in the cyber security world. Firewalls are like a religion to many security people, the tried-and-true mechanisms for keeping the bad actors out of corporate networks and systems.
Ask many security executives to identify their most trusted and essential assets, and they will almost certainly mention firewalls. Companies continue to spend a good portion of their cybersecurity budgets on firewall products, and security organizations can’t imagine their security programs without these long-standing guardians of the enterprise network.
However, this is an outdated approach, and it could make organizations more vulnerable to attack over time because it does not address the types of threats and adversaries companies are facing today. For that reason, blind devotion to firewalls can become toxic for organizations, keeping them from providing the level of security they need in today’s environment.
To be clear, this is not a suggestion that organizations immediately rip out their firewalls because they are no longer needed. However, security leaders need to accept the fact that the firewall is much less significant than it was in the past, and it will become even less significant in the future as more of IT infrastructure moves to the cloud.
Firewall products have primarily bec