It has been well documented across business and technical publications that we are entering the digital business era, which creates new ways of doing business.
This type of evolutionary step has been seen many times before when mainframe computing gave way to the PC, which then yielded, to the Internet era. New tools and technologies fueled each period of business and the digital era is no different. In an effort to be more agile, IT has turned to innovations such as virtualization, software defined networks, mobility and the cloud.
However, the one area of IT that has yet to markedly evolve is security. Before security professionals can revamp their security strategies, they need to understand the new rules that are in place. Below are the security rules for the digital business era.
- Complexity is the enemy of security. When it comes to security, there’s an easy axiom to follow. Complex systems are harder to secure than simple ones and there’s no question that IT is exponentially more complicated than even a decade ago. It’s critical that security professionals work with the rest of IT to take a step back and simplify the infrastructure as much as possible or they will always struggle to effectively secure the environment.
- More isn’t better. The 2015 ZK Research Security Survey revealed that, on average, large enterprises have 32 security vendors. The reason organizations have so many vendors is that businesses often use point products to solve specific security issues without thinking about the bigger picture. Individually, the products may do what they’re supposed to do but think of each device as its own security island with no knowledge of what’s happening on the other islands. This can create ‘security sprawl,’ inconsistent information and blind spots. Now, I’m certainly not advocating going to a single vendor but minimizing the number of security providers can help organizations take a more architectural approach to security.
- Focusing on compliance is ineffective. This probably seems like heresy to auditors and some security professionals. The fact is, that just because a bunch of boxes are checked or unchecked doesn’t mean an organization is secure or insecure. For example, compliance requirements might be that users need to change passwords monthly and adhere to some complicated scheme. That may cause users to write passwords on post it notes and stick them on their monitors because they are too hard to remember. Hackers don’t care about your internal audits so do them but don’t take them as gospel.
- The perimeter is everywhere. Another way to look at this statement is that the network is borderless. Either way, the clearly defined perimeter that was in place a decade ago is gone. The Internet, mobility, the cloud and Internet of Things have all contributed to a massive increase in the number of attack surfaces. Also, networks have become much flatter over the past several years so once a hacker is in, it’s much easier to move laterally through the network, plan what data to steal and begin the exfiltration process. Lastly, the growing trend of “Shadow IT” means users are storing data in unauthorized places such as Dropbox or Google Drive adding to the expansion of the border. When building a security plan, build it with the concept of an ever-expanding perimeter in mind.
- Slow won’t work. Security and performance are often at odds with one another. In fact, in the 2015 ZK Research Security Survey, 43% of businesses admitted to turning security features off in favor of keeping network performance up. Consider the statement: security professionals knowingly made the organization less secure instead of making the network slower. Why? We live in a network-centric world and a slow network means slow applications, slow compute and slow workers. Security now needs to operate at the speed of the network.
There is no silver bullet for solving these security challenges but these are the new rules to play by. One of the most important steps in adhering to these new rules is having end-to-end visibility of all the network flows as anomalies can indicate breaches.
For example, workers typically use the same applications on a daily basis. If a worker comes in the office with an infected device, there will likely be new traffic patterns for that device. At this moment, the device should be quarantined to contain any further infection and the inspection process can begin.
Security professional need to admit the harsh truth that is the organization will get breached. The question is how quickly can the threat be found and quarantined? The security game has some new rules and following these gives businesses a fighting chance.