While security is certainly a top priority for CIOs, many enterprises haven’t updated their perspectives and strategies for security in years.
That’s a very dangerous prospect, because the security challenges facing CIOs today have changed dramatically in just the last five years. As I see it, this change is being driven by three main factors:
- The enterprise threat landscape is shifting, rendering past security strategies ineffectual;
- General awareness of security threats has increased, in part through more media coverage of data breaches and network attacks, which drives new compliance measures and new penalties;
- The mobile cloud era (a.k.a. the Third Platform) has changed how (and how much) enterprises can control and protect their data.
The Shifting Threat Landscape
Security attacks today look very different than they did five years ago, as do the individuals perpetrating those attacks. The image of a lone hacker devising ways to compromise networks through clever coding is outdated. Today, anyone with a little knowhow can buy tools or rent services that help them mount network attacks—for surprisingly little money, and with a built-in supply chain for selling stolen data. These attackers are increasingly able to exploit “zero-day” vulnerabilities in software; that is, weakness that are present in software from day one of which the software vendor is unaware.
Rising Awareness of Security “Fails”
Reports of security breaches make the news on a regular basis, and more publicity means more budget for security, right? That is frequently true, but it also means that more is at stake when security breaches occur. In addition to industry compliance requirements, which have grown increasingly complex and costly to manage, and compliance penalties can have a significant impact, most notably in industries such as finance, retail, and healthcare.
The Arrival of the Third Platform
IT systems have undergone an amazing transformation over the years, from supporting a handful of users connected to a mainframe to millions of people connected to the cloud. The mobile-cloud infrastructure of today, dubbed the Third Platform by IDC, has an enormous impact on enterprise security.
In the client-server architecture of the past, enterprises could protect their data through the IT equivalent of moats and walls using firewalls, antivirus software, etc. That worked reasonably well, so long as you kept your treasure in a box within your castle. With the cloud, however, the traditional concepts of inside and outside no longer apply. Instead of hackers storming your gates, attacks are increasingly happening in less obvious and ever-changing ways, hugely elevating the importance of threat detection and incident response.
So what does all this mean to CIOs? It means that we are long overdue for a complete re-parsing of what it means to go about “doing” security. For example, the historic 80/20 split of spending on protective measures versus detective and responsive measures is no longer a valid model for security today. Instead, CIOs should use a new security budget model that more evenly splits investment into three buckets: protection, detection, and response.
This approach recognizes the reality that the game has changed, and we need to enable our organizations to identify threats that didn’t exist yesterday, and respond to them like they’re old news. What enterprises should be doing is admitting that we can’t prevent every attack from hitting, but we can do a lot more to minimize the impact those attacks have on the business.
It all comes down to what I like to call intelligent security, and it starts with defining what kind of treasure you’re trying to protect. For healthcare and retail like Anthem and Walmart or Costco, it may be customer privacy. For a financial institution or the energy industry, it may be in assuring the integrity of transactions. For a service provider like T-Mobile or Amazon Web Services, it may be in assuring system uptime and the ability to bill for it.
I could spend every security dollar you have, and there would still be things left to secure. That’s why we need to focus security with intelligence on protecting the “treasure” of your business. You’ll never build a wall high enough to keep out all of the bad guys, but you can tool up to hide your treasure so the ones who do get in walk away empty handed.
If your security isn’t doing that today, talk to us about our Security Advizer strategic consulting offering and find out how Rolta AdvizeX can help you build a better security solution that addresses the real threats facing your business today. ▪