CISOs should be ready for the next evolution of cybersecurity: NetApp CSO Mignona Cote

Cybersecurity measures have improved significantly in recent years, so have the techniques of cybercriminals. As a result, security leaders are facing multiple complexities that they must tackle head-on. In an interview with TechCircle, Mignona Cote, cyber-security evangelist and Chief Security Officer at NetApp, discusses the changing role of CISOs in the complex cyber-landscape, closing the security gap, and how they should prepare for the next evolution of cybersecurity. Edited excerpts:

What, in your opinion, are the biggest challenges facing security leaders currently?

The cyber threat landscape is becoming increasingly complex, with threats constantly emerging. On one hand, there is a shortage of talent as the demand for cybersecurity workers exceeds supply. This shortage negatively impacts organisations' cyber defense. On the other hand, security leaders struggle to manage multiple vendors who pitch multiple solutions. This leads to difficulties in integration, visibility, and control. Keeping up with the latest and evolving technologies in the cyber space is yet another challenge. Overall, the challenge for CIO/CISOs is to keep pace with all of this within a specific budget and time frame while ensuring the protection of their organisation and stakeholders.

Technologies like cloud and network security require significant upskilling and reskilling. How are you addressing this challenge given the substantial skills gap in cybersecurity?

While there is a cybersecurity skills shortage, companies have begun taking action. More colleges and universities are launching educational programs in cybersecurity, compliance, and risk management. This allows individuals with a passion and curiosity for security to earn degrees and certifications in security and cyber defense. Bootcamps and hackathons are being organized to bring more people into security. Online education providers are also increasing the number of cybersecurity courses and programs they offer. At NetApp, we provide ample training and courses in cloud security and AI, which has become an essential tool in the fight against cybercrime.

How has the role of the CISO evolved or changed in response to the increasing threat, particularly in the last 2-3 years? 

The traditional security person was primarily a technician, but today the number one job of a CISO is to build relationships with the board and have partnerships with peers. Business continuity and operational success depend on these relationships, so investment in training to develop and nurture these skills must be prioritised. On a more fundamental level, security cannot be left solely to the CISO. The role is changing with the rapid evolution of technology, business, and the threat landscape. Security has become intrinsic to every aspect of the company's security and operations. Therefore, CISOs need to effectively communicate the complexities to the board and leadership. It is a challenging but exciting time for CISOs to move ahead and continue growing.

As a data storage company, what percentage of the overall tech budget goes to cybersecurity in your organisation?

We do not calculate based on a percentage of the tech budget. Instead, we use a bottoms-up structure. We assess the risk and determine what we need, then build a business case and invest accordingly. Today, all of our engineering is part of security, and 75% of our staff comprises engineers because we build technology with security baked into it. Additionally, 50% of our security staff is based in India, mostly in Bangalore, and they work with cutting-edge technologies and products.

How can generative AI enhance your cyber defense arsenal?

Artificial intelligence, particularly generative AI, is set to play a key role in easing the skills shortage and automating security tasks. It can help CISOs in areas such as process automation, advanced analytics, and managed services. This, in turn, can improve staff efficiency and productivity. Generative AI can also assist security analysts in areas such as alert triage and security investigations. However, extensive training is required to make generative AI more meaningful, productive, and free from bias, which I believe still has a long way to go.

How is NetApp helping customers, both on-premise and in the cloud, gain visibility across their data estates?

One of the significant challenges in managing a hybrid-cloud environment is finding tools to securely manage resources across cloud boundaries. That said, with workload portability enabled by modern cloud-native technologies, the ability to manage all workloads through a unified control plane is critical. At NetApp, we have BlueXP, a management tool that allows storage administrators to manage the entire data lifecycle for data stored on NetApp storage technology, whether on-premise or in the cloud. It provides an AIOps-driven experience that simplifies traditional storage management and provides visibility into factors impacting cloud and subscription costs.

What ways are you enabling CIO/CISOs to achieve cyber-resilience by 2024?

This year, we announced updates to our unified data storage solution to tackle the menace of ransomware with the extension of NetApp's Ransomware Recovery Guarantee. It allows NetApp to guarantee snapshot data recovery in the event of a ransomware attack, providing compensation if data copies cannot be recovered. Moving forward, we will begin building security as code, which involves integrating security into DevOps tools and processes by identifying where security checks and tests may be included without making changes to code and infrastructure. This means securing Google, Azure, and AWS environments via code rather than through setting configurations.

Secondly, threat detection and monitoring with AI will be significant going forward. With Threat Detection for NetApp, businesses can minimize unnecessary recovery costs. Additionally, compliance regulations typically require organisations to use a security solution to protect their means of storage. We are modernising and creating stronger efficiencies in the way we build our solutions. We would also invest considerably in training programs in the next one year in various cyber-security domains.