Today’s enterprises face growing challenges to traditional ‘perimeter’ security used to protect IT services and resources, as Oliver Descoudres of Logicalis Australia explains.
Trends like BYOD, the shift of services in to the cloud, or many clouds, and the convergence of siloed systems onto the core network is making enterprise security more complex. Indeed, as customers, suppliers and employees increasingly transact with organisations from anywhere in the world, and at any time, they effectively render enterprises ‘borderless’.
Add in new breeds of threat that infiltrate corporate networks and it is clear that CIOs should be adopting a more business-centric security model: security should be business priority not just an IT responsibility.
So, what are the key components of a business-centric security approach?
- Culture. According to a 2014 survey by Deloitte, 70 per cent of organisations rate their employees’ lack of security awareness as an ‘average’ or ‘high’ vulnerability. Organisations must, therefore, move to a conscious culture where every employee is aware of potential risks – from malware propagated via email to the practice of saving corporate data to personal cloud services like Dropbox. This is particularly relevant for organisations allowing employees to BYOD (even more so for those without BYOD policies, which are therefore more likely to be at risk from shadow IT).
- Policy and Procedure. Without incident response processes in place the best technologies are worthless. The key outcome of effective policy and procedures is the ability to adapt to evolving threats; that is, to incorporate changes to the threat landscape in a cost-effective manner.
- Controls. Security controls deliver policy enforcement and provide hooks for delivering security information to visibility and response platforms. Controls need to extend to wherever the business operates and may include:
- Uniform application security controls (on mobile, corporate and infrastructure platforms)
- Integrated systems for patch management
- Scalable environment segmentation (such as for PCI compliance)
- Enterprise Mobility Application Management for consumer devices
- Network architectures with Edge-to-Edge Encryption
- Monitoring and Management. 24×7 monitoring and management is essential. Having around the clock staff and retained security resources is fine for larger enterprises, but for medium size organisations this is less achievable. Moreover, according to Verizon Enterprise Solutions, companies only discover breaches through their own monitoring in 31 per cent of cases. Organisations can cost effectively benefit from up-to-date, sophisticated technologies and processes by outsourcing this work.
A shift in focus
It’s never been more important for organisations to have a robust security strategy. But despite the growing number of high-profile data breaches, the balance of information security spending is weighted to the prevention of attacks, rather than improving (or establishing) policies and procedures, controls and monitoring capabilities.
Quite simply a new approach to security is needed, where the focus is on securing information from the inside out, rather than protecting information from the outside in.
There is still value in implementing endpoint security software as a preventative measure, but those steps must now be part of a wider strategy that addresses the fact that so much information and access is now outside the corporate network.