Manish Gupta has overseen the growth of a number of security firms during critical periods. As Chief Product and Strategy Officer at cyber security firm FireEye, he expanded the company’s portfolio from two to more than 20 products and increased the company’s value tenfold. Before helping FireEye expand its offerings, Manish served as Vice President of Product Management for Cisco’s $2 billion security portfolio. He also helped grow McAfee’s network security business as the Vice President and General Manager of the firm.

Manish was also the Vice President of Product Management at iPolicy Networks, where he helped created the Next Generation Firewall category in 2005—a technology designed to add new protections against application attacks in addition to the network attacks defended against by standard firewalls.

International Business Times: You have overseen a considerable amount of growth in the security industry over your career. What are some of the biggest changes you’ve seen in how organizations approach information security and where is improvement still needed?

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

Manish Gupta: Our customers and the security industry have come a long way. Given that software touches almost every facet of our lives – from refrigerators, to cars, to enterprise applications, to nuclear reactors – the fact that we haven’t seen a large scale meltdown asserts that we have done well. But, have we done well? Or just been lucky? Many would consider Equifax and all these major breaches as meltdowns. Most would feel we have not done well—we are playing cat and mouse with hackers and are always behind. It seems we have achieved a precarious balance by working hard, not smart. We have focused all our efforts on fighting threats. To get better, organizations need to change their approach and focus on the root-cause of attacks. Healthcare offers a good parallel. We can choose to fight the symptoms or the root-cause. We can choose to fight obesity with drugs as the first line of defense. Or we can understand that in the majority of the cases the root cause is an unhealthy lifestyle, and first and foremost focus on improving that.

Similarly, most security products are focused on threats like viruses, worms, malware. And because the bad guys have access to the same innovation we have access to, malware evolution is rapid. As an example, in 2016 at FireEye alone we saw more than 100,000 pieces of malware per day. This inherently makes the security industry reactive and inefficient. The movement of the software into the cloud, for the first time in the digital age, changes the industry dynamic where software doesn’t have to be shipped to hundreds-and- thousands of customers worldwide. Instead it is offered as service, which has enabled a rapid pace of innovation. We have a unique opportunity to improve security moving forward by inserting it into the software itself by understanding the specific security needs of the software, as opposed to merely reacting to threats. This approach leverages the pace of change in software development to enhance security, making it much more efficient.

IBT: What are some of the biggest challenges to organizations when it comes to securing their systems and information as they grow?

Gupta: Mark Andreessen’s famous quote comes to mind, “Software is eating the world.” Gartner has said, “Cloud computing is one of the most disruptive forces of IT spending since the early days of the digital age.” Already today 41 percent of workloads is in the public cloud. All this points to the rapid, widespread adoption of public cloud, confirmed by most companies in most industries embracing the public cloud.

But most security products were developed for an era when enterprise software was bought as shrink-wrapped software and deployed in the data center. The prevailing best practice in security is to deploy multiple layers of security in front of the data center—kind of like a deep moat all around a castle—all of which focus on their flavors of threats. Some focus on viruses, some on worms, some on malware, etcetera. This architecture is ill-suited for cloud-based software, and there is an urgent need to rethink security for cloud software.

One approach is to adapt yesterday’s security solutions to the cloud. But the techniques used today – threat focused security – aren’t cutting it. After all, even with today’s software adoption, we don’t have enough talent in the world to address all the security alerts that are created. How is this approach going to scale to a world where software is everywhere? This is one of the biggest challenges organizations face today. An alternative to consider is to use the characteristics of cloud software to devise a new approach to security. We have a unique opportunity to insert security into the software itself by understanding the specific security needs of the software, as opposed to merely reacting to threats. This approach leverages the pace of change of the cloud to enhance security, making it much more efficient.

IBT: How has the threat landscape changed over the course of the last decade and what threats loom largest for organizations going forward?

Gupta: The key evolution in the threat landscape can be summarized [in three parts]:

  • The sophistication of attacks and attackers has gone up significantly. The tools and techniques used by nation state attackers are now being used by financially motivated attackers.

  • Attackers are going after almost every industry – what they go after is different than years ago. In some cases, it is intellectual property, in some cases it is customer information, in some cases it is to reach the customer’s partners, etc. But no industry seems immune.

  • Increasing polarization across the world means less cooperation across state lines. This implies that attackers in Russia and China can target companies in the US without impunity. Increasing digitization around the world will bring additional countries and their citizens into this mix, making the security problem worse, and attack attribution even more difficult.

Instead of doing the near-impossible job of predicting what kinds of attacks will we see next, we can predict with more certainty what will be the attack surface the attackers will go after next. By now we have learned this: Wherever there is something of value in the digital domain, there is someone who is trying to steal it. As software is moving to the cloud, many organizations are assuming that their cloud provider—Amazon Web Service, Google Cloud and Microsoft Azure—will protect them. Whereas all three are on record saying that while the public cloud providers are responsible for the security of the infrastructure, the customers have to take the responsibility of protecting their own applications. The Equifax breach, where hackers have stolen identities of 143 million people, is an example of the attackers going after cloud software. Cloud software is the engine of innovation and is undergoing rapid change as software vendors try to meet customer requirements ever faster. But change disrupts security, making it easier for attackers to steal. The biggest security problem of the next decade is to figure out how to protect cloud software without slowing innovation. At ShiftLeft, this is the problem we are working on.