What security strategy should enterprises adopt after the recession?

IT managers must not bow to pressure to let security issues lapse as the UK exits the recession.

This was the opinion of top level chief information security officers (CISOs) at a roundtable event held this month in London’s BT Tower.

The risk is that as firms exit the recession and take advantage of new business opportunities, using new technologies, suppressed business activity may lead to pressure not to evaluate the inherent security risks in new projects.

CISO Gary Cheetham at insurance provider NFU Mutual laid out the problem: " Moving into new areas with new technologies which we don't fully understand could lead to exposures. I've got to illustrate those exposures to the board so that they understand that perhaps it's worth it doing a little more planning, before we move."

One such new technology is cloud computing, which although in its infancy could drive down costs significantly when it matures. Yet security around this technology remains a concern.

"Even though it’s currently in the hype cycle, the problem with the cloud is that right now there are no security standards around this," said Bernt Ostergaard, senior research director at market research and analysis firm Current Analysis.

He added that he's seeing a massive interest from enterprise customers: "I'm hearing telcos saying that their enterprise customers expect savings in the 35–40 per cent range - that's a huge cost reduction. This will push CFO and CEO to come down hard on the CIO and say – "Why aren't we doing this?"

The increased pressure to deploy new technologies comes in the context of a change in the way hackers are exploiting technology weaknesses. The number of software security flaws was down in 2009 compared with 2008 but hackers are becoming more strategic.

"[Organised hackers are] becoming much more focused and much more vicious – they're getting better at targeting where the money is," said Ostergaard.

This shift should have a major impact on how companies manage their security patch priorities.

"[Hackers] are not going for normal high risk flaws as much, they're going for the lower risk ones, bypassing firms' patch management cycles, where high risk flaws are patched first and lower risk ones patched later," said Lloyds of London chief information security officer Marcus Alldrick.

This has increased the need to be more proactive, he explained: "We can't just concentrate on the protective aspects of our security controls, we have to look at the detective aspects as well – and that means more monitoring, and being quicker in applying corrective fixes."

The end of the recession compounds the problem of security management because projects to replace legacy applications were postponed and now those unpatched technologies need urgent attention.

"Eighteen months ago there were a lot of projects to replace legacy systems which got put on hold. Those legacy systems with all those [unpatched] vulnerabilities are still sitting there," said NFU Mutual CISO Gary Cheetham

Companies now have to make a financial decision about whether to patch the legacy systems or continue with the original project.

"Now the question is… do I fix the flaws in those legacy applications? In some situations it's quite expensive to do that," added Cheetham.

Vodafone Group CISO Bryan Littlefair added that dealing with legacy applications is a huge challenge: "Think of that legacy application that relies on an old version of Java. The latest Microsoft patch updates the Java software and sometimes the legacy application won't work."

In April, new data protection legislations comes into force giving the Information Commissioner’s Office the power to fine companies up to £500,000 so it is even more important for companies to manage governance, risk and compliance.

NFU Mutual's Cheetham says one of the problems he found is getting the balance right: "How [do I] hit the sweet spot between regulation, policies, usability and business objectives? How do I get that right?"