We’re undergoing one of the biggest transformational changes in IT since the introduction of the personal computer. We’ve evolved from mainframe to the PC client-server era, to cloud computing and mobile. Companies can now spin-up compute and storage resources in minutes and end-users can access information from almost anywhere, including 35,000 feet in the air.
This brings great opportunities for businesses to redefine themselves, but it also brings new challenges. Among the biggest concerns I hear about are how to keep corporate data secure, regardless of where it resides. Chief Information Security Officers (CISOs) still need to protect the business, but they need to do so facing an increasingly hostile threat environment, transformational IT change, regulatory and compliance initiatives and a serious lack of security talent.
What’s a CISO to do? I have three suggestions:
Be a business enabler, not a gatekeeper
Despite having “security” in the title, the top priority for any CISO isn’t to just lock data down; it’s to enable the business. No longer can the security team be the department of “no” to end users and executives who want to use new technologies that will help them do their jobs better. This means CISOs need to put an end to draconian policies that restrict behaviors such as the use of mobile devices, cloud apps and new software tools. They need to allow the business to adopt new technologies, especially those that improve productivity and efficiency while lowering costs.
The shift from restrictive to permissive requires a serious change in the way CISOs think about their role and about security. The correct mindset should mirror the overall IT environment. CISOs need to embrace the dynamic openness of data flows and devices in today’s cloud-based environments where perimeter walls have fallen down, letting data flow into and out of the network. Similarly, it’s futile to hold end users back from the technologies they want to use. The result is rogue and shadow IT that compromises security all the more.
Take advantage of automation
As data, devices, users and workloads multiply, your security team needs to become more agile and efficient by taking advantage of scalable technologies that enable automation and granular control of data, devices, users and workloads. For example, one area where security automation can support modern infrastructure is in the way new code can be developed and delivered. Delivering new code to customers used to take six months. Now organizations can deliver code every hour if they want.
Automation platforms also help IT keep on top of security and improve efficiency during staff shortages. Instead of sticking with manual processes, CISOs can turn to automation and free their personnel to focus on higher level tasks software can’t do, such as analyzing potential threats, dealing with policy violations and misuse of corporate resources, and adopting innovative technologies to improve the business overall.
Don’t forget the basics
Instead of trying to find a silver bullet to take on sophisticated and stealthy advanced persistent threat attacks, CISOs can benefit greatly from practicing good security hygiene. Things like strong access controls, data encryption, software updates and patching, threat detection and vulnerability management are all basic and easy, yet many companies are woefully inadequate about doing them consistently. Meanwhile, more than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been easily avoided. Instead of worrying about so-called “next-gen” technologies, CISOs should look back at best practices from the past ten years and follow them.