No more castle building - enterprise security and risk management

By John Leonard
01 Jul 2014 View Comments
Maginot Line

Armour, fortifications, strongholds. These have been essential tools for those seeking to protect themselves, their countries and their treasure throughout history, keeping valuables safe from the marauding hordes outside.

However, the examples of ancient Troy and the Maginot Line show us that fortifications are far from impregnable, and that placing too much faith in them to the exclusion of other defences can be a very expensive error.

Further reading

A more recent example is that of Target. As one of the largest retailers in the US, Target presumably deploys plenty of heavy cyber-armour, yet it was recently laid low by criminals who metaphorically crawled in through a ventilation shaft into the firm's inner sanctum. They simply laid a phishing trap for an aircon supplier that had privileged access to Targets networks, broke in and ran off with more than 100 million credit card records.

The fact is, organisations are more vulnerable than ever. The ever increasing number of connecting devices, ever lengthening supply chains and widening global reach across an insecure-by-design internet all equate to more vectors for attack. But negotiating these dangers is all part of doing business. You can't lock yourself inside your castle walls because who then would buy your wares?

"We can't protect everything. Businesses have been dealing with risk and realising they've got to take risk; risk is how businesses actually make money..." said the director of global threat management of a media company, neatly encapsulating the issue.

A recent Computing research programme looked at how organisations are dealing with this new reality, where they see the main threats coming from, and how they are seeking to deal with them.

No more castles

The thinking around data security is moving steadily away from firewalls and point solutions, as important as these still are, and towards data governance and risk management.

"Over the last six months, there's been far more realisation that we can't build yet another castle, we really can't," said an operational risk manager at a bank.

This change of emphasis has also given rise to a new range of job titles, such as data governance executive, risk manager and compliance officer, people whose task it is to investigate the flows of data in and out of the organisation, to work out where the vulnerabilities lie, and to put a value on all of the different sorts of data so that protection can be prioritised in the most cost effective way.

Feeding into this is another buzzphrase currently doing the rounds, security intelligence - identifying and assessing the capabilities and intentions of hostile individuals or organisations in order to stay one step ahead of the threats.

These disciplines will grow and mature over the coming months and years as data moves further away from IT's direct sphere of influence. Of course, some sectors, generally highly regulated verticals such as finance, started to make these changes some time ago and are now led by security strategists.

"Security dictates what IT needs to do, rather than the other way round..." said a global security officer in finance.

Areas of vulnerability

Top of the rankings in terms of areas of vulnerability came the proliferation of mobile devices and the demand for more mobility.

"The big threat we have seen this last year is mobile devices. There has been a huge increase in mobile banking application Trojans," said a CISO in retail.

Email was seen another top vector, and rightly so since the vast majority of targeted attacks have been found to begin with an email.

The human factor was particularly onerous for security professionals, with the marketing department singled out as a target for their ire probably because they handle sensitive customer data.

"The average marketing person has no concept of data governance and they can't see the problem of creating an Excel spreadsheet with customers' names, addresses with credit card numbers and saving it on a public drive..." said the head of IT, in a gaming company, suggesting a strong need for better user education and the provision and promotion of secure alternatives for transferring data.

Part of the education process is keeping security front of mind across all parts of the organisation. Sending fake phishing emails to staff to see who opens them and then feeding back the results can be an easy and effective way to raise awareness of targeted attacks and social engineering, although, as one respondent told us, there may be political consequences.

"We sent out an email pretending to offer free tickets to the Olympics, then we had very senior people clicking and being very embarrassed... It went really high up, I mean really high up..." said a CIO in banking.

This is an edited version of the keynote speech delivered by Computing editor Stuart Sumner during the Enterprise Security & Risk Management Summit 2014 in London today. The research comprised two focus groups, an online quantitative study in which 265 IT decision makers took part, and a number of in-depth interviews with key opinion leaders.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

54 %
19 %
7 %
15 %
5 %