Innovation versus infosecurity

Innovation and security should not be mutually exclusive but unfortunately they often are seen that way, says James Henry.

James Henry, Auriga
James Henry, Auriga

If buying a house is all about location, then running a successful business has to be about innovation – the ability to see beyond the next corner, to move away from business as usual and to embrace technologies and processes that can improve the way the business functions.

It seems surprising, then, that many businesses are extremely risk averse. From BYOD to cloud and now IoT, few have sought to be early adopters, preferring instead to follow the herd.

In many cases, the justification for tardiness has been security. Concerns over how exposed the enterprise may become, how it will govern user access, and ultimately how it will retain control of the process. But it's that very need for control that is stymieing our ability to innovate and ultimately holding back our economy.

Technology is not the only harbinger of change. The way the business operates is also becoming more intricate, with a greater reliance upon external parties, for outsourced functionality or products and services, creating a complex web of interdependent organisations who have very little visibility of each others' risk management operations.  This can often be the weak link in the chain which attackers exploit, as the organisation simply assumes their partners and associates have observed the same due diligence.

Risk in these relationships also tends to vary from sector to sector, with some being more astute than others. For instance, organisations handling financial data tend to be more risk aware because of compliance requirements. Emerging Vendor Risk Management (VRM), the process of ensuring that the use of service providers and IT suppliers doesn't create an unacceptable potential for business disruption or a negative impact on business performance, according to Gartner, can help here. VRM provides contract management, policies, standards and procedures to protect each player and ensure consistency.

Evaluating risk is fundamental when transitioning to a new technology but its not without its challenges. For the enterprise entering into uncharted territory, evaluating unknown variables can be problematic. Key questions to consider, aside from the cost-benefit equation, include, will you seek to avoid, modify, transfer the risk or accept the risk?

What's guaranteed is that risk cannot be eliminated. It's a matter of weighing up the dangers posed by a new way of working and deducing whether the benefits make those risks acceptable.

A Risk Management Framework (RMF) can make the process easier. By providing a series of controls that can be applied to the information lifecycle once risks have been appraised, assessed and found to be acceptable, a framework provides a process that seeks to categorise, select and implement controls, assess and monitor the outcome, advising on action accordingly.

There are a variety of flavours but implemented correctly, an RMF should be embedded across all general management. Unfortunately it can be overly prescriptive, making it an obstacle to innovation, or can be sidelined as a process, making it extremely difficult to promote across the organisation. The key is not to get hung up on the documentation, do engage senior management and the board, and make the framework fit the business rather than the other way round. If it can demonstrate its worth by revealing the path the organisation should tread, everyone will feel it's a justifiable process.

By far the biggest obstacle to innovation, however, is the inability to recognise that the security game has changed.  According a recent survey, nine out of 10 large organisations have suffered a breach, making this type of protection redundant.

Yet the vast majority of spend is still devoted to defence and network protection (even new disciplines such as threat intelligence are focused on defending the network from attack). What really matters is the data, regardless of where it might be. So we need to focus spend on evaluating the value of data and putting processes in place that obfuscate it and make it difficult to detect, access and read. 

Assuming a culture where data protection is a priority is no mean feat. It means documenting the information estate, looking at how it is stored and accessed, categorisation, and cradle-to-the-grave management with provisions for data destruction.

Role-based access is of course a must as is encryption and key management and an overarching policy that allocates responsibility and lines of reporting for each of these functions. In some instances, this will require a complete overhaul of business processes to get the house in order.

Innovation and security have become but should not be mutually exclusive. If security is seen as a barrier to adoption, the security sector itself needs to adapt. We need to arm the enterprise with the means to embrace new ways of working by moving out of our own comfort zone to address data security and data protection.

As a sector it's time to innovate or die.                            

Contributed by James Henry, consulting practice manager, Auriga.