What COVID means for cybersecurity strategy

Image: Jon McGettigan, Fortinet.

Jon McGettigan, Fortinet.

Content sponsored by Fortinet.

Jon McGettigan has seen Australian organisations’ approach to cybersecurity evolve over the 14 years he has handled Fortinet products.

Today, he is Fortinet’s regional director for Australia, New Zealand and the Pacific Islands, leading a team that helps customers design solutions around Fortinet’s cybersecurity platform. Close to 50 per cent of service providers in Australia and around 90 per cent of New Zealand service providers use Fortinet products, he says.

We asked McGettigan about the implications of COVID for cybersecurity strategy.

How has the COVID-19 pandemic changed your business?

I’ve been a remote worker [commuting from New Zealand] for eight years now. We have always encouraged an agile work environment for our 20 staff, who have always worked remotely while helping customers across both Australia and New Zealand. In that sense it has been business as usual.

With businesses scrambling to enable remote working during lockdown, we were expecting to see business drop off while they refocused their priorities – but in actual fact our business has seen nothing but a boom. We had high double digit growth in the first half of this year, and actually saw a lot of opportunities were being pulled forward for COVID.

The trend towards distributed workforces began long before COVID. How has it changed the way organisations approach cybersecurity?

The fundamental change I have seen with security is outsourcing it securely. When I started reselling Fortinet in 2006, it was all about selling a big box to protect your gateway and keep the baddies out. It was not really about thinking about user experience, or about users at all; it was about protecting the network, it was an insurance policy, and it was effectively a cost centre.

Over the years I have seen that completely change as businesses move to a service provider environment. They’re addressing the cost to the business, the outsourcing of skills, issues around head count and there not being enough skilled individuals in the industry to have your own security team – so they are relying on other providers.

For a lot of organisations, the way we secure our information has been outsourced in some shape or form – and that tradition, with the journey we have been working on with our partners, is how we sell security as a service.

The whole expectation that we would only build big firewalls to keep people out has changed to ‘how can I use these technologies to provide a much better user experience for users that could be anywhere?’ It’s all about users being secure, and the organisation being nimble and agile while keeping the same level of security.

How has the need to secure remote workers and distributed workforces changed business-as-usual for IT and security executives?

When you have people with distributed network branches or working from home, you want them to get access to business tools and systems as quickly and easily as possible – and that’s why the cloud has come to be more widely adopted as well. Businesses see that they can get all of these cool things because they are protected and secure.

There’s a realisation around cost savings and user experience: if you can get a much cheaper connection to locally break out of your branch and go to something in the cloud, you don’t need to go back to an expensive network.

Education around security has also been quite important: there has been such an increase in cyber-attacks, and there’s a growing knowledge about needing to be secure. Ultimately, the weakest point in anyone’s network is the user – and if the user sees the press talking about it, it filters down and people have more awareness about security. That’s a big change that I have seen come through.

Many companies were dabbling in SD-WAN before COVID – has that changed as they scramble to secure their workers over the past few months?

It’s a journey that customers have been talking about for a while, and they are realising that if they have to look at doing that, they have to look at doing it securely. That’s where the SD-WAN part of our business comes in, and it’s a natural progression of the way that we support our customers.

SD-WAN has been on the hype curve for a while, but now everyone is doing something about it. Technologies like 2-factor authentication (2FA) and endpoint security have become pretty normal, and businesses are moving more workloads than ever to the cloud.

In sites like universities, this means you need more bandwidth and support more connections per second, and all of this relates to security. SD-WAN is about decreasing costs and improving user experience – and because security is so front of mind.

What part of the enterprise network is getting the most attention?

Critical infrastructure is the biggest threat and target, so security is really about ensuring that customers have the best access to advanced security warnings. A lot of operational technology (OT) networks are ineffectual, or ‘build and don’t touch because this is a network that has to be isolated’.

But this is becoming less and less of a reality: we’re seeing that a lot of the technology is old, yet customers realise they might have to get some sort of connection to that technology – and therefore you need to connect and secure it.

Given the things that have happened from state-based attacks, and the government committing to invest more in cybersecurity, it’s the critical infrastructure that they will be looking to move on very quickly – and there is a huge opportunity to improve the overall security posture. The willingness to spend money is there, so now it’s just about the execution and the timing.

Some industries are working together to address cybersecurity at an industry level. Will this change the nature of your cybersecurity engagement?

Everyone feels vulnerable when you go into lockdown, and organisations need to be thinking about their exposure.

Most businesses are prioritising their IT spend, with security at the top of that priority list. And if they’re vulnerable at the moment, they need to spend money where it takes away that risk.

But that’s a different risk to every business, and a different conversation with every industry. The security opportunity for us is huge, but the risk of not securing it is also huge.

Contact Fortinet to learn more about secure networking.