CISO at EDB
Dan Garcia is EDB’s Chief Information Security Officer. Dan is responsible for managing information security within EDB and working across product areas to ensure risk is being managed and customers are protected. Dan also works with customers and the Postgres community to better support customer needs around securing Postgres and their data.
As the value of data rises, so does the demand for increased security measures. We have seen changes in actors and attack patterns: Uber, Rockstar Games, and Nvidia have shown organisations that major disruption is only one crisis away. There will always be threats beyond our control, but we can adjust our thinking, architecture, and philosophies to meet these challenges head-on.
As we move into 2023, IT executives and business leaders should build the following assumptions into their security strategies for the next twelve months.
Increasing security considerations in the cloud
Organisations are adopting cloud-first technology to move faster in their domain while improving cost and time efficiencies. Gartner predicts that 75% of global databases will be on the cloud by the end of this year. This may be an aggressive number, but we do believe that most enterprises will at least move to a hybrid cloud environment in the short term. Though both hybrid and multi-cloud approaches offer greater options for accessibility and workload offsetting, these environments can also widen security gaps.
To offset the risk of these vulnerabilities, enterprises will need to deepen their employee education and training. Organisations that cannot safely scale in the cloud with in-house resources should partner with dependable third parties who possess proven experience in privacy, security, and cloud deployments. Lastly, the popularity and adoption of open source databases such as Postgres will continue to rise, selected for regular security and bug fixes and a rich community of members publicly optimising the code to mitigate security threats.
Economic uncertainty leads to vulnerabilities
Inflation and economic uncertainty have led to layoffs of staff and cutbacks in budgets. The resulting decrease in institutional knowledge will have delayed onset impacts on security, and it will be challenging to identify where capacities are lacking before systems break down or the need for migrations arises. The knowledge loss can be more impactful in niche technology use cases and less so in platforms such as Postgres, where there is strong adoption.
This may give rise to new operating service models. Companies that have decided to divest in certain areas may choose to adopt a more flexible service model, and organisations that used to employ 3-4 database administrators (DBAs) may move to a managed service model.
Further investment in Transparent Data Encryption (TDE)
As data security concerns rise amongst large businesses that have accelerated their cloud journey, especially those in financial services, data encryption will become a best practice. This feature greatly enhances data security by encrypting data at the database level, giving full control to the DBAs but preventing unauthorised access to customer data. It can aid in safeguarding confidential data and other cloud data assets from accidental exposure and unauthorised access by threat actors lacking the necessary decryption keys. Overall, this helps organisations create a security architecture that mitigates a number of threats that would contribute to a security breach.
The role of CISO will continue to grow in importance
The modern CISO understands that information risk and compliance are two separate domains of responsibility (compliance being the enforcement of security obligations). Depending on the company’s industry, CISOs need to protect and guide the company during adverse cyber events but also have a role in expanding business growth and helping sales teams remove the friction when selling into new regulated markets.
Information risk programs need to continually assess threats, the internal landscape, and how effective their investments have been operating. When this analysis is being conducted alongside business partners, investments or reallocation of spend can service both information risk and compliance goals while unlocking business growth.