Security is a top agenda item for CIOs – but the landscape is changing. New trends and technologies are serving as both an enabler and a hindrance to business, and striking the right balance means executive teams must reassess their risk appetite.
IT leaders gathered at the Rockpool Bar & Grill in Sydney recently to discuss the future of security; how to develop a cohesive working relationship between IT and security teams, and the human side of security considerations. The event was sponsored by Palo Alto Networks.
According to Nir Zuk, co-founder of Palo Alto Networks, we’re already seeing a shift in the security landscape and determining your risk profile should also prompt the removal of outdated constraints.
“But it's not about getting rid of the parameters – just changing them,” says Zuk.
Many attendees expressed a need for new data protection solutions, to better equip CIOs to tackle the fast advancing risk of popular mobile technologies, without stifling the efficiency or the end-user.
"We're now moving away from traditional architectures, which held all data centrally within locked down networks,” says Luc LaFontan, CIO at property development and management company Goodman.
“Now the expectation and business requirement is to access everything from anywhere from any device, and we must account for that.”
Of course, as pointed out by David Bryan, director IT strategy and architecture at UNSW IT, it doesn’t help that these days young people are being trained to be hackers, with the growing popularity of hackathons as a means of acquiring talent.
"Telstra runs an annual Cyber Security Challenge with Australian universities to find the best and identify potential candidates for IT security work across the sector including Telstra itself,” says Bryan.
Bridging the divide
Some attendees believed the biggest challenge that IT leaders have faced until recently was a clash with security teams, where security has been used as an insurance policy rather than an enabler of business.
"There has been a growing divide between the CIO and security. The CIO continually wants growth, but the security team sometimes doesn’t allow it," says Zuk.
New technology has helped to bridge this divide, with more advanced tools coming to the fore covering areas like email, instant messaging, mobility, and enabling security-as-a-service (SaaS) – but Zuk says good strategic communication is still required moving forward.
“There's a need to work strategically with all IT workers to fix that disconnect between the CIO and security that always exists; good communication is needed.”
At a time when security and IT must come to a compromise on how best to enable the business, LaFontan raises the issue of accountability.
"The biggest question we need to ask is – who is responsible for a breach: IT or the business?” he asks. “We’ll all suffer from an incident at some point, so it’s more a matter of how we are prepared to respond to it.”
End user issues
Ensuring training and compliance of end-users to company policy is crucial. Zuk asserts that, as we cannot have 100 per cent control over user behaviour all the time, the onus will also fall on newer, more advanced solutions to keep data protected.
“Most attacks going after data come through users – they don’t care about rules and passwords,” he says. “But the systems that separate users and data are going to become more sophisticated, whereas today it's just application level credentials."
Some attendees also noted that compliance is still a big issue for both end users and the board, and LaFontan says the best way to get engagement of both is to have an actual incident.
“While this is not what we want, if and when it does occur, suddenly we have 100 per cent of the stakeholder’s attention. The problem is that then it is too late – so is there a way to create the situation in a controlled fashion?” he asks.
Zuk thought this approach problematic, however, stating that “spear phishing doesn't work.
“Education is good of course, but we need to realise it's not just an end user issue. If the user receives an email with a PDF from the CIO, would they open it? Yes, of course. It's the same with external devices, if I dropped a bunch of USBs containing malware in the parking lot near the workplace to be discovered by employees – they would try it.”
As the conversation ultimately turned to bring-your-own-device (BYOD) and mobile device management (MDM) policies, it was noted that at present these are not always achieving the end goal of enabling the business.
"It may not work for a general workplace; start-ups usually work on any device, anytime, anywhere, but in the enterprise security needs to be addressed and this can be seen as a barrier by employees,” says Allan Davies, CIO for Dematic. “Therefore the question is – do these barriers stifle the innovation and enthusiasm that we see in startups?”
Davies explains how he tried to tackle this by setting up an advisory board with the hopes of attracting young innovative employees.
“I wanted the youth. I wanted to discuss security and innovation – to ask them 'how do I give you what you want, but still sort out security?' If there’s no answer, it’s on them to find a solution, they become the owners.”
Zuk cautions that when introducing these policies, security has to be extended and mimicked to all devices and applications where possible.
“Often for things like firewall, desktop security, mobile security, it's all run by different people – not enough organisations understand that these should be uniform,” he says.
“The world of just email and web is gone; technology implementations by many organisations haven’t quite caught up. Many are spending a lot of money just on scanning email, but why bother spending all that money if the hacker or malware is coming via mobile, Dropbox, or instant messaging?”
One CIO, who wished to remain anonymous, shared the analogy employed throughout her organisation when it came to the use of mobile devices. “Let them run with scissors,” she says.
“Educate users on the risks, deploying a good mobile device management (MDM) system to enforce control, and see how they go,” she says.
MDM and data classification
While different models of data classification can help minimise risks, attendees expressed concern about controlling the movement of enterprise data.
One CIO claimed that MDM simply doesn’t work, having experienced too little return from too few vendors, for far too great an overhead. Also present is the risk of disgruntled employees whose devices may have to be wiped following a security threat – although not all found this to be a concern, as long as users are warned about this possibility.
"If you want the convenience of accessing corporate data on your mobile device, you’ll also have to give up the liberty of full control. That's just the nature of it - these are the rules and so far, for us, nobody has complained,” the CIO says.
Zuk said the best way to counter mobile risk is to monitor and control network traffic.
“You must be aware of that traffic and where it is going, and all of that is done by network, not the user behaviour,” he explains. “Traffic forwarding is going to become more granular. Corporate and personal data will see a complete split, with no overlap. That’s the direction the industry is moving.”
Building vendor relationships
Though SaaS vendors are always an option, LaFontan felt an external approach to security often wasn’t worth the investment.
"A lot of security experts coming into businesses today are missing the point, the profile of the business needs to be considered and they do not spend the time to learn the business – then they cannot provide effective solutions,” he says.
To solve this problem, Davies says vendors should do more to work with business to develop a wider understanding of the culture and goals within a particular organisation.
"We need thought leaders. I like a vendor relationship, not vendor management. Both of you have skin on the line, so vendors should be partners with companies looking into the future,’” he says.
“[Vendors] need to phone me about actual issues with my business, not just generic cost savings, that's what will pique my interest.”