There are three main drivers forcing information security to evolve in the enterprise, the external threat environment, business innovation, and regulatory compliance initiatives.
1. The threat environment has become increasingly dangerous, what used to be external attacks that may disrupt services or in the worst case destroy data has shifted to theft of services, and data with results that can be highly damaging to the organizations bottom line. Cyber-vandalism and hobby-based malware has been upstaged and replaced by sophisticated and stealthy, financially motivated, and targeted attacks. Traditional methods of attack prevention, such as; updating security product signatures, rapid-patching and strengthening the perimeter, although still mandatory, are not effectively protecting organizations against these evolving threats.
2. Business is leveraging the internet for innovation, moving away from brochure-ware to service delivery via the web. SaaS, SOA, web services, are creating complex and dynamic environments in which traditional methods of security and optimization no longer provide the same value to the organization. The user population is also changing; telecommuting and an increasing number of disparate and mobile devices are making it more difficult for organizations to impose configurations or lockdown systems. In the past the majority of the user population resided behind the corporate perimeter – today, in some organizations, the majority use laptop computers and other mobile devices outside of the perimeter, exposing the organizations data and systems to attack.
3. Regulatory compliance pressures are forcing organizations to gain greater visibility into their security programs. Becoming compliant will not make an organization more secure and in most cases a best-practice approach to security will make an organization secure and compliant. Although some argue the benefits, or lack thereof, the reality is that regulatory compliance pressures have forced the issue of enterprise security into the board room and provided another incentive for implementing technologies and processes that improve the organizational security posture.
So what does this all mean?
People, process and technology need to adapt to these drivers or face extinction.
Security professionals must have a better understanding of the business they are hired to protect, must posses more soft skills such as communication and cooperation, and must evolve their skill against the dynamic threat environment and the evolving business infrastructure. Murray has some good thoughts on what makes a superstar security engineer (here), notice that business concepts and time, life, and career management are suggested as required domains. These soft skills will become increasingly important in the coming decade as security programs mature and become an integral part of business success. More importantly organizations structure becomes critical as enterprises must implement and organizational structure that supports cross-group cooperation and workflow.
Most organizational failures are a result of process issues and not technology. The majority of technology deployments fail due to poor process as well. As the demands on IT increase process becomes critical to success. Process makes the difference between minor security incidents, and being the star attraction on the front page of the Wall Street Journal, process must fill gaps in technology. Process must support workflow, coordination and cooperation between different organizational groups, process to support pre-incident security activities, and process to improve effectiveness and efficiencies over time.
Signature-based anti-virus and firewalls aren’t protecting the enterprise in the same way they did in the 90’s, they are still important components of information security, but their use will change. Firewalls become part of critical infrastructure, deployed strategically to protect key assets, as opposed to only used for perimeter defenses – in essence the perimeter changes, and multiplies, but it doesn’t disappear. AV will morph into client protection that includes integrated anti-virus, anti-spyware, personal firewalls, and host-based intrusion prevention, as well as operational functions such as configuration and patch management. This is already occurring and it allows organizations to leverage a common infrastructure to implement better controls prior to an incident occurring and to respond faster to threats as they occur, even those where a signature or patch may not be available. Defense in depth is critical, anyone who argues that network security is more important than host-security or vice-versa is doing you a disservice, certainly prioritizing budgets and technology deployments is essential as is a process to deal with the technology, but defense in depth is more important now than ever. Technology needs to adapt to the changing threats and support regulatory compliance.
Here are some key concepts that are essential to improving organizational security, some seem obvious and others are common sense, but you would be surprised how many do not fully understand what they mean…
1. You cannot prevent all bad things from occurring (period), you can limit the probability of a successful attack and you can limit impact when one does occur, but unless you house your systems in a tempest shielded, kryptonite lined, lead safe with no internet connection, no ingress/egress points, even physical, and kill everyone who knows of its existence, then you will experience an incident.
2. Data is more important than the systems they reside on, learn how to protect the data. Data encryption, at rest and in transit, becomes as important as stopping intrusions, not just an afterthought anymore.
3. Visibility and control are the foundation to improving security, if you cannot gain visibility into its state or you lack control to modify its state, you are extremely limited in your ability to secure it.
4. Process is as important, actually even more so, than technology –start with process than add technology to support strong process, not the other way around.
5. Security can no longer exist in a silo or a vacuum, security programs and security professionals must align themselves with the business or face extinction.