Oliver Descoeudres, Logicalis Australia, looks at the security challenges inherent in delivering the more open environments that are a consequence of IT consumerisation and diverse demand for apps and services – and how CIOs can respond.
Balancing the competing demands of IT security with agility is not easy.
The consumerisation of technology, the rapid rise of Shadow IT and the emergence of digital means the CIO and CTO are under pressure to deliver and facilitate IT based services and solutions - and at an unprecedented rate. If they don’t, their line of business colleagues will only go out and buy it anyway.
But sitting heavily at the other side of the scales is the issue of security. And it is getting heavier; not only are organisations facing traditional information security risks, but providing the degree of agility that line of business demands is leaving them exposed to new cyber threats. As a result, IT infrastructures are becoming more vulnerable than ever before.
Not enough to be compliant
IT leaders are responding accordingly, with security topping the list of CIO priorities this year and many organisations planning to increase security spending.
But it seems that many IT and security professionals are ill informed about what constitutes an effective security strategy. Security vendor Vormetric recently conducted a survey of more than 1,100 Chief Information Security Officers at global enterprises. It found that a majority treat security as a compliance exercise. Despite the fact that 91% of those polled believe their organisations are vulnerable to internal or external data threats, 64% view compliance as “very” or “extremely” effective in staving off data breaches.
One recent CIO Magazine article suggests a reason for this: IT leaders are underestimating the impact of security breaches on their organisations, and are underestimating what it takes to prevent and control them.
And the costs of these breeches are eye watering. According to a UK Government survey the average cost of the worst breach to a large company (90% of whom experienced an average of 14 breaches) covering elements such as business disruption, lost sales, recovery of assets, and fines & compensation is between £1.5m and £3m. The cost to a small business is £75k to £311k. These figures are both up on the previous year.
Security first
In an uncertain security landscape, organisations cannot afford to be complacent about safeguarding their sensitive data. It is simply not enough to be compliant. Modern security strategies must be ‘baked’ into an organisation’s infrastructure and services, and must be considered on an end-to-end basis - from the business requirements and design stages through to implementation and operation.
A new balanced approach to security
The organisations that are most at risk of data breaches are those that view security’s role as solely to defend against threats. Security must be seen as enabling the business, ensuring not just protection but business continuity and mitigation. It’s no longer a function that resides solely with the IT department – collaboration with the business is vital to creating a security strategy that respects the legitimate business concerns of access and usability.
Support at the senior levels is crucial to ensuring information security gets the focus and attention it needs. And there is good reason to offer that support - organisations that integrate best security practice into their processes from inception onward will limit the scope and damage of attacks. With systematic plans in place to defend, identify, remediate and recover from attack, they will be able to focus on the core business with some certainty.
With that in mind, the three fundamental tenets of best security practice are:
- Visibility – in order to be able to identify the impact of threats, it is important to know how and when they are occurring. Centralising various sources of data into a security monitoring system enables actionable insight into possible anomalies.
- Continuity – the focus in IT security needs to shift to controlling and managing breaches, as organisations aim to trace and mitigate business impacts from attack.
- Mitigation – mitigation is focused on how attacks and breaches can be limited during and after the fact, but the key to these techniques is to plan ahead and deploy robust controls in advance.
The message is clear; security must always come first, but by adopting a business-centric security approach, it does not have to be at the expense of agility.
Learn more about the importance of a business-centric security strategy, and the steps to implementing such a strategy in your organisation, by downloading our whitepaper: ‘Security in a world with no perimeters: a business-centric security architecture’.