Digital technology has fundamentally changed business practice over the past decade. Cloud based applications dominate, workers routinely access corporate information remotely via smart phones and access to the corporate network increasingly includes supply chain members, contractors and part time workers. Yet cyber security has failed to keep up – and some of the responsibility has to lie with the C-suite.
Why are cyber security experts not involved from day one in every strategic decision? Why are businesses still expecting the security team to take responsibility yet leaving deployment in the hands of multiple departments, from application development onwards? It is time to address the fragmented, outdated, reactive attitudes to cyber security that still dominate. By failing to embrace security expertise and innovation up front, businesses are incurring far too much risk. Adam Boone, Chief Marketing Officer, Certes Networks, insists it is time make cyber security a priority for every C-suite.
Exploding Attack Surface
While it is hard to imagine a new business initiative or strategic development that is not IT driven, only 45% of boards participate in overall security strategy. Yet not only is technology underpinning every aspect of business, the increasingly fluid and agile way in which businesses now operate has fundamentally changed the threat landscape, most notably by massively expanding the attack surface. The number of applications now being used by a huge and diverse user base, both within and outside the organisation, across personal smartphones, in the cloud and, of course, IoT devices, has created a level of risk never before encountered. Each one of those users or end-points becomes a target, a point of potential vulnerability. Just consider that one hacked company can compromise the operations of every business along an entire supply chain. Or a single contractor who is compromised by an attack can become the steppingstone into the heart of your company. Cyber security practices clearly have not kept up with this exploded attack surface, the near daily exposure of breaches confirms.
The implications of this lack of senior level participation in cyber security strategies are tangible. First of all, security is reactive, with experts consulted after strategic business decisions have been taken and IT deployments rolled out – leaving gaping holes in the security plan that simply cannot be effectively filled retrospectively. Secondly, responsibility for security is not centralised but fragmented across multiple silos – from application developers to network teams and those responsible for remote access or end-point protection.
The result is that while security may be tasked with safeguarding the business, achieving that objective can require interfacing with up to eight different groups – all of which are focused on their own areas of responsibility, rather than security. In some cases security is not the overriding, top priority of these teams, who are focused instead on application or network performance and other fundamental functions. Even then security procedures and tools are implemented piecemeal, creating a fragmented and confused picture across the organisation.
While security remains a secondary business consideration and security teams lack central control, the corporate risks will continue to rise.
Best Practice in Cyber Security
The difference between those organisations that have a top-level commitment to security and the rest is stark. The best practice approach ensures security is considered, evaluated and incorporated into the planning stages of every corporate strategy – not addressed after the fact. Furthermore, a dedicated security team – preferably led by a Chief Information Security Officer (CISO) – has full, centralised control over policy and implementation enabling the business to achieve uniform security across the entire enterprise, rather than the fragmented, even contradictory solutions often deployed on a departmental basis.
Critically, with security people involved in the planning stage from day one, the company can ensure best security practices are baked in to the project from the outset – and that best practice cyber technologies can be embraced to both improve defence and drive business value.
Software-Defined Model
For example, replacing a traditional – and vulnerable – rigid firewall with a software-defined perimeter that is far more fluid enables a business to remain secure despite constant operational change. A software-defined perimeter that is disconnected from the infrastructure can drastically simplify the complexities of adding or removing cloud applications, or granting mobile access for a specific set of workers. Similarly, the adoption of software-defined Wide Area Networks (SDWAN) enables organisations to securely embrace the lower cost cloud computing model while maintaining every aspect of the security posture – from policies to encryption.
Essentially, with a centralised approach and a security strategy aligned with business direction, organisations can move away from outdated thinking about securing the perimeter. Simply put, security can no longer be about managing devices and networks. It must instead be focused on managing users and applications, and tightly aligned with the business objectives associated with both. For example, role-based access control can enable an enterprise to consistently enforce policies across the range of users and applications, directly aligning that critical security function of remote access with the overarching business objectives. Which applications do physicians need to access in order to do their jobs? Which do the nurses need? Which should never be accessed by either?
The most effective approach enforces these policies in the actual access control process itself, building on existing policies for user access and identity management. Then, when access is to be granted, the application traffic is protected by cryptographic segmentation that prevents it from being accessed by the non-permitted users.
This approach has the added benefit of blocking unauthorised lateral movement, which is the hallmark of modern data breach vectors. If all applications are protected by real-time role-based access control, and if all user access is limited to only what a user needs to do their jobs, then the compromise of one user does not grant access to everything. Lateral movement is constrained and the breach is contained.
Organisations that embed this software-defined model within strategic planning not only minimise risk but also support business innovation. Consider a company looking to deploy a new application to its workers that will increase productivity by 40%. Roll that out to the 50% of staff that work at HQ and the benefits are clear; but build in security planning from day one and that application can be securely extended to mobile workers on their smart phones and part time contractors – suddenly the 40% productivity gain is massively extended, boosting performance and delivering ROI for the application itself far, far quicker.
Conclusion
When every business decision has a technology implication, cyber security clearly needs to be led from the top; it must be organisation-wide rather than silo-focused; centralised and consistent. Done well, security is not simply a defensive strategy, but an enabler of better enterprise performance – and those organisations with a C-suite that prioritises cyber security are not only in a far better position to minimise risk but also well placed to drive tangible business value.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.