01732 759725 32 CYBERSECURITY ...continued fine, but that doesn’t mean it is secure for security practitioners who are trying to find the misconfigurations in libraries.” Montel adds that there is a common misconception that code is better because it's coming from AI rather than a human, when in fact it is quicker, not better. Identity risk AI aside, Montel says that Tenable’s greatest priority, with customers moving more and more to the cloud, is to become cloud security specialists, and that includes identity security, which is the main vector through which attackers gain access to data. “We cannot put an agent in a cloud service. We cannot put AV (anti-virus) in a cloud service. Every step we have taken in the past 20 years doesn’t apply. So, we have to reinvent ourselves. That's why we acquired Ermetic – to have a native cloud solution. And on top of that, the main use case is something called CIEM, which stands for cloud infrastructure entitlement management. To put that in English, entitlement is access. So identity is still the number one priority and identity in the cloud is the number one challenge that we want to be able to help our customers with.” He says that his ambition for Tenable is to focus on prevention and to provide everything that customers might need in that domain, leaving MSSPs and strategic partners like Sophos (see box on page 31) to recommend and provide solutions for detection and response. “Prevention is a domain by itself. And that's why we have expanded in that domain. We are already recognised as the leader in vulnerability management, the core domain, the one in which we’ve been active for more than 20 years. Now that we have expanded into OT, identity and cloud, we go beyond just vulnerabilities exposure.” This expanded capability, he suggests, is helping Tenable to meet the needs of a wider cross-section of users. “We have three layers of user: the security practitioners, who use the technology tools I mentioned; the cyber security director, who has access to those platforms; and the CISO above them who uses the reports we produce with them. We go into the CIO when we have the capability (and moving forwards we will have the capability more and more) to identify the risk associated with the digital transformation of their company. The CIO has a responsibility to drive the digital transformation of the business; and the CISO has a responsibility to reduce the cyber risk. “Now, with our holistic exposure management approach, we have the ability to give KPIs or KRIs, key risk indicators, for their technology and their business transformation. Security practitioners want to know, am I exposed? The CEO wants to know, am I exposed to something which is business-critical? And the CISO wants to know how am I exposed? All those questions we now have the ability to answer.” Tenable is available in the UK from distributor Arrow. generative AI can help Tenable propose a remediation plan which is in context, dynamic and changing. We do that as well.” Montel says that while AI is helping customers to move faster, organisations will still need technical skills to use their security tools and will still need human involvement rather than relying on AI to do everything. “Whatever progress AI is making, we still need human validation. We're talking about cyber risk management here; the person in charge of cyber risk exposure management cannot delegate responsibility for that to AI. We have to keep AI where it is, which is as a Decision Assistant, albeit one that is smarter than it was before.” Montel warns that while the productivity benefits of generative AI might blind business users to certain security risks, those responsible for cyber security in an organisation can’t afford to be so trusting. To make his point, he cites the example of software developers who use generative AI to cut development times from one month to a week (not hours, he says, because code developed by generative AI tends to have a lot of mistakes and needs to be reviewed). He warns that there have been cases when ChatGPT has asked developers to use a code library that doesn’t exist. Attackers learn of this, create that library and push it into public repositories. When developers get the code and see it is working, they think there is nothing to check, and leave it to work. “For developers the code is working
RkJQdWJsaXNoZXIy NDUxNDM=