In what is fast becoming a technological arms race, cyber-security is one of the single biggest risks to businesses and individuals alike. The threat landscape is in a constant state of change, and organisations from all sectors need to deal with increasing levels of sophistication from malicious forces.
With the ramifications of financial and regulatory pressures top-of-mind, the accountability for delivering security across the organisation has found its way to the boardroom table. Through conversations with both current and prospective customers, I find this pressure is one many organisations are acutely aware of but struggle to address.
Turning chaos into order
The traditional approach to IT purchasing and adoption has been to buy point solutions to do the best job at that particular moment in time. However, many businesses are starting to realise that using individual solutions or suppliers to address specific challenges is costly and short-sighted, a path leading to a complex and unmanageable tangle of individual products and service-level-agreements. As a result, CISOs, who value integration and unification, find themselves encumbered with a sprawling estate and upwardly spiralling expectations of the technology at their disposal.
Best-of-breed solutions will undoubtedly deliver on the point problems they are designed to solve but, by definition, are too focused on specialisation in what is now an increasingly interconnected network environment. Instead, the challenge of securing the whole jigsaw requires an integrated view.
As a first step to any security programme, CISOs should firstly look to implement holistic solutions which allow comprehensive control of all the pieces.
Now I have the technology, how do I stay in it for the long-term?
However, with such a tangle of solutions usually on their hands, a top concern for many organisations is the complexity of identifying when an attack is underway. The truth is that most organisations will see no signs of an attack, and it may in fact take months for victims to discover threats and respond. To be truly effective, defenders must look at what can be done at all stages of an attack – before, during and after.
Key to this, and to ensuring security in the long term, is establishing a process driven approach which can evolve over a number of years. What organisations need to realise is that the solution doesn't stop with the technology alone. Processes can adapt, whereas technologies will only ever keep changing as businesses undertake constant re-evaluation to justify their investment. CISOs must understand that while keeping on top of the latest security technology is important, it is only part of the solution, working to support the processes an organisation already has in place.
With this in mind, IT leaders should look to establish more user-friendly security policies and shift to user-centric approaches, lowering the risk of a breach across the entire organisation. Because employee behaviour is one of the greatest threats to security, second only to cybercrime, these policies need to be flexible enough accommodate different behaviours. If employees believe that IT security is making their job more difficult or remain unaware of the dangers their behaviour can place on the organisation, businesses will continue to play a game of Russian roulette with their IT security.
Championing IT as the internal security consultant
IT should look to support this change by looking to adopt the role of the internal consultant. Rather than being the naysayers and seen as a block to innovation, the IT department should instead aim to drive change through the best use of technology. This means promoting policies that enable and protect whilst also boosting productivity. Fundamentally, this requires embedding security into all business processes and ensuring these are managed and evolve to reflect the ever-changing threat landscape.
To build the foundation for truly robust security, strong processes and governance should be seen as standard. From the basics, such as ensuring passwords are changed regularly to consistent patching, IT needs to work to support the board in feeding security into all new ventures and operations. With hackers must likely already in your systems, it's critical to change traditional approaches, working to build security into the very fabric of your organisation.
Contributed by Terry Greer-King, director, cyber-security, Cisco UKI.