Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/30/2015
11:00 AM
Tsion Gonen
Tsion Gonen
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting To Yes: Negotiating Technology Innovation & Security Risk

As enterprises look for ways to leverage the cloud, mobility, Big Data, and social media for competitive advantage, CISOs can no longer give blanket refusals to IT experimentation.

Change has been a constant in the cybersecurity industry over the past few years. One of the more subtle shifts is that CISOs have had to learn to appreciate -- and use -- the word “yes.”

For years, information security executives have been conditioned to say “no” to any new technology initiative that was perceived as presenting potential risks to the organization. The average security practitioner instinctively says no to almost everything. Whether it was no to requests to move into the cloud, to open up a site to external users, to expand use of mobile devices in the workplace, to adopt social media for business applications, the answer was no because of the possible security risks these ventures represented. Saying no became the security chief’s biggest data protection strategy.

But security executives are learning -- and are continuing to accept -- that saying no can actually put their careers at risk. As enterprises look for ways to leverage the cloud, mobility, Big Data, and social media for competitive advantage, giving blanket refusals to IT experimentation and innovation is no longer an option.

Bring-your-own-device and “shadow IT” are now commonplace at many organizations. And the move to the cloud has become so popular that it’s now unimaginable that a security executive would be able to keep business users from accessing cloud-based applications and storage systems.

Not surprisingly, security practitioners have been struggling with this growing need to say yes to different projects. After all, their mission is to identify what they consider to be risks and protect the organization from being hurt by those threats. But saying yes is a requirement in today’s increasingly and connected digital world.

Rather than trying to swim against the current or blindly ignore the security risks these projects might present, CISOs and other technology professionals involved in security need to focus on learning about the business benefits of these initiatives and finding the tools that can help safeguard corporate data and systems in these new environments.

Plan B
Concurrently, as part of this change in thinking, security executives need to be in on the discussions about the business goals of using technologies such as the cloud and mobile devices, so they can gain a better understanding of the value of these initiatives to the organization and how IT assets should be secured.

As security executives accept the consumerization of IT, they also need to switch from a “Plan A” to a “Plan B” security strategy. With Plan A, the thinking has been that the organization is not going to experience a breach and that technology such as next-generation firewalls and intrusion detection will prevent breaches from happening.

Most current security blueprints are based on Plan A, with a heavy emphasis on technologies that protect the perimeter and somehow stop attackers from getting where they shouldn’t be. This made some sense when all the data and users only existed behind the corporate firewall.

It’s becoming quite clear, however, that Plan A is not working as it should be. Consider the number of huge data breaches that have occurred over the last year or two, and you can see that cybercriminals are finding ways to defeat current security defenses.

In today’s security landscape, it makes more sense to move to a Plan B, where the focus is on protecting data. This can involve a number of different technologies that are available today and would be potentially important components of the strategy.

It’s also clear that data encryption should play a major role in any Plan B. Someone is going to get past the network perimeter defenses at some point, so organizations need to make sure that whoever gets in can’t use the data. Another way of looking at encryption in the context of Plan B is that it is the ultimate way to “unshare” data in shared environments.

Many organizations will likely struggle with moving from Plan A to Plan B, simply because the former has been in place for so long. People who work in security programs are accustomed to working with what they are comfortable with -- and this usually means firewalls and other legacy security technologies. But not a lot of staffers today are experts in encrypting an infrastructure. (Hint: if you want a secure career in security, you might want to get into encryption.)

In the final analysis, security executives need to evolve and say “yes” to more new IT initiatives. They can do so while feeling confident they are doing everything necessary to protect corporate information resources by taking a Plan B approach.

Tsion Gonen serves as Chief Strategy Officer for Gemalto's Identity and Data Protection Division. He is responsible for developing global business and product strategies, and identifying and capitalizing on emerging market trends within the information security market. Prior ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27610
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
CVE-2021-34801
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
CVE-2021-34803
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
CVE-2020-8299
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
CVE-2020-8300
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...