Once the ‘strange kids in the basement,’ CISOs now hold a key seat at the boardroom table: Joshua Goldfarb, F5

As digital transformation accelerates, cybersecurity is evolving to meet new and complex threats. Joshua Goldfarb, Field CISO, F5, shares with us how businesses are navigating the challenges posed by cloud-native architectures, API-driven applications, and AI technologies. In this recent interaction, he highlights the importance of simplifying security management, implementing Zero Trust frameworks, and addressing the growing threats from DDoS and bot attacks, all while maintaining compliance with stringent data privacy regulations like GDPR and India’s DPDP Act.

With the increasing adoption of cloud-native architectures and API-driven applications, how has the cybersecurity threat landscape evolved? What specific security challenges are organisations facing today, and how is F5 addressing them?

Over the past five to ten years, we’ve seen a significant shift from monolithic applications to modern, API-driven applications. While this has allowed enterprises to innovate faster and meet market demands, it has also introduced new security challenges. To keep up, many organisations have implemented a mix of cloud and on-premise environments, which has added complexity to their operations.

Managing and securing these environments, especially with the widespread use of APIs, has become increasingly difficult. APIs, by nature, are designed to be open and accessible, which unfortunately creates a larger attack surface for cyber threats. Attackers can now more easily exploit vulnerabilities within these systems.

At F5, we often see our customers struggling with this complexity. In many ways, complexity is the enemy of security. To address this, organisations need to first understand their infrastructure and APIs, then focus on simplifying management, securing their assets, applying policies, monitoring for intrusions, and implementing preventive controls. Discovering and securing their API infrastructure is also crucial. These are some of the key security challenges organisations face today.

Generative AI is being leveraged for both cybersecurity defence and offense. How does F5 incorporate AI-driven security solutions to combat emerging threats, and what role do you see AI playing in the future of enterprise security?

AI is currently a hot topic, but I believe that over time, it will become just another technology we need to incorporate into our enterprises and protect. We’ve seen this progression before: initially, we had security measures for applications, then APIs emerged, which required a new layer of protection due to vulnerabilities they introduced. Now, with generative AI, we face specialised attacks that go beyond API or application security. The industry is responding by adding a layer of security specifically for AI-related threats. However, it’s important to remember that AI applications still rely heavily on APIs, so they behave like modular applications, meaning we can’t neglect our broader security strategies. AI will be just a small part of our overall security challenges, and organisations should continue to focus on their strategic security goals without getting overly caught up in the AI hype.

As more companies embark on their automation journeys and integrate AI into their operations, many claim to be “AI-ready” by leveraging large datasets and industry standards. However, do you feel that in this rush to adopt AI, maintaining a robust security posture or investing sufficiently in security often gets overlooked?

I don’t think security is necessarily being undermined, but as enterprises evolve, certain vulnerabilities or gaps can emerge over time. These can stem from issues like new code versions introducing bugs, shadow API infrastructure being deployed unknowingly, or AI capabilities being added without a full understanding of the security implications. It’s less about overlooking security and more about the need for a strategic, risk-based approach. Companies must continuously assess and mitigate risks, rather than setting up security measures once and assuming they will suffice indefinitely.

Even until a few years back, security was rarely a board-level discussion and was viewed primarily as a technological challenge rather than a business one. Do you think the approach to security has significantly evolved over the years, and if so, how?

Yes, that’s true. I often joke that security professionals used to be like the “strange kids in the basement” of the office, but now many CISOs have a seat at the board or are at least regularly invited to present to the board. This shift has been beneficial for security because it helps us build relationships within the business. These relationships enable us to integrate security from the start, whether in software development, application deployment, or other areas.

It also forces us, as security professionals, to speak the language of executives and the board. In the past, security teams would report metrics like the number of tickets or scans, which don’t resonate with most executives. Having a seat at the table requires us to translate our operational activities into risk-based metrics that the board understands, such as financial loss, regulatory fines, or loss of customer confidence and revenue. This shift has made security more of a business topic and has also helped security teams build stronger internal relationships, which has historically been a challenge.

As enterprises move toward a Zero Trust framework, securing applications and APIs has become a top priority. How is F5 helping organisations implement Zero Trust effectively, and what are the key best practices for ensuring robust application security?

At F5, securing applications and APIs is a core part of our business. We not only help organisations develop and deploy their applications and APIs, but we also provide robust, simplified management solutions that allow for universal policy application, which has been highly beneficial for our customers.

When it comes to best practices for implementing Zero Trust, everything starts with a thorough risk assessment. Every application and API carries the potential to introduce risks, such as exposing sensitive data, providing unauthorised access to back-end systems, or allowing data corruption. It’s essential to identify and prioritise these risks based on the potential impact they could have on the business.

Additionally, many enterprises don’t have a complete understanding of their infrastructure and API landscape. Once there’s a clear mapping of this, risks can be aligned to the relevant areas, and security protections can be applied where needed. Continuous monitoring for breaches and privacy issues is also crucial to maintain ongoing security.

Given the rise in sophisticated DDoS and bot attacks, how is F5 enhancing its protection mechanisms? What trends are you seeing in automated threats, and how should enterprises adapt to mitigate these risks?

There are two main areas where we frequently see DDoS and bot attacks. Starting with bot attacks, one major motive is fraud. Attackers use bot networks to log into financial, reward, or loyalty accounts, like frequent traveller programs, to commit fraud and gain financially. This is particularly common in sectors like travel, hospitality, and finance.

Another type of bot attack involves inventory hoarding. Attackers use bots to deplete a retailer’s online stock of popular items, such as hats or sneakers, preventing real customers from purchasing them. This frustrates customers, who may go elsewhere, and it can result in fraudulent purchases made with stolen cards. Retailers suffer from chargebacks, losing both the inventory and revenue.

The third trend is the combination of bot and DDoS attacks, which degrade the performance of applications, making them less usable and driving customers away. Enterprises with a strong online presence must be prepared to defend themselves against these automated threats to protect their revenue and customer loyalty.

With stricter data privacy regulations such as GDPR, India’s DPDP Act, and sector-specific compliance mandates, how is F5 helping businesses navigate these regulatory complexities while maintaining strong security postures?

At F5, we first ensure that we are fully compliant with data privacy regulations like GDPR, India’s DPDP Act, and others globally. By doing so, we ease the compliance burden for our customers, as they don’t have to worry about our side of the data handling.

Beyond that, many regulations require clear visibility and telemetry into the data flowing through various environments, whether in the cloud, on-premises, or within applications and APIs. This visibility helps monitor for potential data breaches or privacy violations and enables timely responses. Additionally, if an auditor identifies an issue, customers need to provide fact-based evidence. With F5’s telemetry and data monitoring solutions, we help customers maintain compliance and address any findings with clear, factual data.