Adam Maruyama, field CTO at Garrison, discusses the company’s hardware-enforced security strategies and the sustainability concerns of the AI surge.
Adam Maruyama is the field CTO at cybersecurity company Garrison Technology, which was recently acquired by Everfox. With 15 years of experience in cybersecurity, including working in counter terrorism, Maruyama now serves as the “bridge” between Garrison’s R&D team and its customers.
“On one hand, I’m an evangelist for our products and our hardware-enforced security (hardsec) philosophy, which looks to leverage fixed-function hardware to ensure that critical security functions are not subverted by hackers,” Maruyama says.
“On the other hand, it’s my job to understand both the threat environment and the complex ecosystem – economic, political and organisational – in which my fellow cybersecurity leaders operate and ensure that our R&D efforts are aligned accordingly.”
What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?
From a threat perspective, we’ve seen actors developing increasingly sophisticated techniques, armed with advancements like generative AI, which allows for quicker generation of attack code and more believable content for phishing attacks. We’ve also seen the most sophisticated actors, like nation state-sponsored hackers, expand their target set beyond traditional ‘crown jewel’ governmental targets like classified networks. Instead, we’ve seen these actors like Volt Typhoon who are increasingly willing to develop, expand and maintain a presence in the systems that are most critical to our economy and our lives, such as water and power.
In parallel, we’re seeing the IT needs of businesses grow in ways that increase risk. More corporate data is being stored with third parties, and employees are increasingly reliant on the internet to provide the connectivity, knowledge and tools they need to drive mission and business outcomes. As a result, the most risk-avoidant strategies in cybersecurity, which block access to large parts of the internet, are untenable for all but a small fraction of organisations – and, even for such high-security organisations, these controls are often applied to only a small enclave.
We approach this challenge by using hardsec to enable access to valuable information and applications on the web and in other risky environments while removing the vast majority of the risks involved. By using fixed-function hardware in our solutions – including cloud-hosted hardware that we make available to customers as a service – we ensure that only safe but interactive video streams of risky websites, VDIs [virtual desktop infrastructure] and consoles are provided to customers, giving them most of the benefits of access while creating an impermeable trust boundary that ensures that malicious code doesn’t get in and corporate data doesn’t get out.
‘Attempting to use AI in cases where it just doesn’t fit is deleterious to not only sustainability, but also the resulting product’
Sustainability has become a key objective for businesses in recent years. What are your thoughts on how this can be addressed from an IT perspective?
One of our biggest contributions to sustainability as an IT community and as technology thought leaders should be responsible use of AI. I’ve never seen a relatively nascent technology gain traction so quickly, and its rapid growth means that we’re only now catching up to the resource implications of the compute-intensive large language models that power generative AI.
I live in Fairfax County, one of the largest hubs of data centres in the world. The increasing demand for cloud connectivity, driven in large part by the massive spike in AI, is taxing our electricity distribution infrastructure in ways that would have been hard to predict even two or three years ago. As a result, I’ve seen the very real impact of generative AI on the systems that power not only IT productivity, but also the day-to-day lives of individuals.
I’m far from an AI naysayer – it’s a very interesting technology with fascinating applications. But I’ve also seen it shoe-horned into use cases where far simpler and less resource-intensive solutions would have done a better job for the task at hand. By all means, technologists should experiment with AI, but they need to do so with a ‘fail fast’ mentality that acknowledges that not every product needs to have an AI tie-in. Attempting to use AI in cases where it just doesn’t fit is deleterious to not only sustainability, but also the resulting product.
What big tech trends do you believe are changing the world and your industry specifically? Which of these trends are you most excited about and why?
I’ve already talked a little bit about the big trend of AI in the context of sustainability, so I’ll talk a bit about the wonkier policy trend, driven by CISA [Cybersecurity and Infrastructure Security Agency] and its partners in the UK, Canada, Australia and Canada, of secure-by-design solutions. The secure-by-design development practices that CISA’s pledge has introduced are fundamental to good software security, but what interests me more is the philosophical underpinnings of what it means to be ‘secure by design’ in an increasingly connected world.
On a scale that’s broader than any one product, thinking about security as a part of technological design is the long tail of the technological revolution that we saw beginning at the end of the 20th century. We thought we could build and benefit from interconnected systems and assign security as a secondary function that small, niche teams of specialists could remediate. But the emergence of ‘secure by design’ about 25 years later illustrates that’s not possible. The risks of being interconnected are fundamentally entangled with the benefits of connectivity, and these risks are shared between the vendors who develop solutions and the customers who consume them.
The current iteration of ‘secure by design’ emphasises the importance of incorporating security into the product development process. I’m excited to see the discussion evolve to recognise that security and productivity are similarly two sides of the coin in network architecture and the selection of organisations’ tech stacks; NIST security frameworks should be one and the same with good network design, not bolt-ons that are applied for compliance purposes.
What are your thoughts on how we can address the security challenges currently facing your industry?
We need a whole-of-society approach to cybersecurity. That starts with recognising that cyber risk is business risk, but it goes much deeper than that. It’s about nourishing a view that cybersecurity is a basic safety measure, not an arcane technical discipline where a handful of experts are all that’s needed to protect a Fortune 500 company.
From a user perspective, it means understanding that cybersecurity-related friction is not always a bad thing. The beep that sounds when you’ve turned on your car but haven’t fastened your seatbelt may be annoying, but most drivers will agree that it’s a small price to pay compared to the death or injury that could be caused by a collision without a seatbelt. Similarly, when products introduce friction for security’s sake, whether it’s multifactor authentication or a pop-up letting the user know the site where they’re entering their credentials may not be what it claims to be, users need to understand that there’s a good reason for that friction.
At the same time, vendors need to take a user-centric approach that’s built around empowering and trusting users rather than putting up hurdles for no reason, or for opaque reasons. Don’t bombard users with technical manuals or obscure terminology – tell them in plain language what risks they may be taking and provide awareness of those risks in real time, rather than in quarterly or yearly training. Then trust them to make the right decision, and take a lessons-learned coaching approach when they don’t make the right decision.
Don’t miss out on the knowledge you need to succeed. Sign up for the , Silicon Republic’s digest of need-to-know sci-tech news.
/origin-imgresizer.eurosport.com/2024/09/08/4038389-81905428-2560-1440.jpg?w=150&resize=150,150&ssl=1)
