The Struggle to Secure the New IT

Monday, June 16, 2014

Gretchen Hellman

Ec47f9657c90a6db70e5e4f1cd1f7a02

Disruptive technologies like the Internet of Things, BYOx and cloud have infiltrated all aspects of today’s digitally driven business environment, catapulting us into the era of the “New IT” and fundamentally changing the way we do business.

In the New IT era, technology is the lifeblood of business, driving innovation and agility in a competitive landscape. The once fortress-like data center has become porous with partner connectivity, cloud computing, virtualization and BYOD. 

Gone are the days when traditional siloed approaches to securing systems can be relied on to be the first line of defense in protecting organizational assets. In today’s world, data is fully accessible and available – anywhere, at any time and on multiple devices – which makes securing sensitive company data increasingly challenging. But at the same time, never has IT security been so significant. For example, recent high profile breaches at companies such as Target, Nordstrom and eBay show just how detrimental a breach can be on not only the business’s bottom line, but its integrity as well.

In fact, a recent survey on the evolving role of the IT pro sheds light on how important information security is today. When asked what the top IT skillsets are that will be in highest demand over the next three to five years, respondents ranked information security as number one. Additionally, respondents ranked information security as the role with the greatest need to adapt to emerging technology in the same timeframe.

Getting the Organization Ready to Adapt

In order for you to respond to the rising demands of developing new security skillsets and role adaptation, you first need to feel empowered to take a seat at the table and market the importance of security to business leaders. While it has improved, security is often never mission critical until it has been breached.  Adapting to the disruptive technologies that have created the New IT requires internally marketing the need to evolve the security program to address the new vulnerabilities and subsequent risks they create.

Target’s CEO recently resigned in part because of the data breach that occurred in late 2013. This has certainly helped gain more board room attention towards the importance of funding security.  However, without a clear understanding of the new vulnerabilities the New IT has produced, the evolving threat landscape, and how that affects organizational risk, these now-interested executives are not empowered to make intelligent funding decisions. By adapting to the New IT you can use examples of security breaches from competitors, partners or companies in close proximity, combined an understanding of the related direct organizational risk, to get the budget and the resources needed to move security forward. And it’s important to note that business data will never be completely secure, so it’s imperative to create an understanding that the business will need to continue adapting quickly to potential threats.

Even when a business understands the importance of investing in security measures, knowing how much to invest can be a challenge. As an IT security pro, you are uniquely positioned to take the lead in showcasing the value of IT security to ultimately make the case that security investments should be a top priority for your company’s overall business strategy.

Securing the New IT Amidst an Evolving Threat Landscape

IT security pros should consider the following when securing business environments in the New IT:

· With new IT projects, availability can often come before security.  Organizations need to adapt by making it part of the new IT project process to perform a risk analysis and build security budget into new IT projects – whether its expanding to the cloud or embracing BYOD.

· Compared to the upfront cost of security, the cost of breaches and compliance violations can be hefty. For example, Alaska’s Department of Health and Social Services was fined $1.7 million to the U.S. Department of Health and Human Services as the result of a data breach. Rather than advocating a bare minimum “check the box” approach, leveraging regulatory compliance requirements to gain budgets for strong security tools, processes and people will ensure that the security shop evolves rather than constantly retools.

· With a recently reported unemployment rate of zero (according to the Department of Labor's Bureau of Labor Statistics in 2011), good security analysts can be hard to find.  Organizations that take a proactive approach to build the security skills of promising IT employees will be better prepared for the increasing scarcity of knowledgeable security talent.

· To be agile, it’s important to remember risk management. One cardinal rule in security is nothing is ever truly secure. It’s a game of risk. The more valuable the information – the greater the threat.  The game is to implement enough defenses that an attacker would not invest enough resources to compromise it – in other words, get frustrated after trying for a long time and give up.  But the game is never done. We must continually evolve our security defenses because of everything that affects the risk evolving around us, including new services.

· Ensuring a strong monitoring strategy will help the security program to adapt and address new gaps in controls as the arms race continues. Creating a strong monitoring strategy based on risk with security information and event management (SIEM) software will help discover new threats as they arise and automate the monitoring process in the era of limited security resources. It’s impossible to prevent every potential risk from infiltrating your environment, therefore, it’s crucial to have an effective monitoring system to help detect unusual trends and prevent attacks from burrowing in deeper and wreaking true havoc.

Securing the New IT can seem daunting. However, by broadening your skillsets and seeking to have impactful conversations with business executives on the importance of security strategies and investments, it doesn’t have to be. 

About the AuthorGretchen Hellman is senior director of security strategy at SolarWinds. Gretchen brings extensive security management expertise to her role at SolarWinds. Prior to SolarWinds, she has held executive and product leadership positions at McAfee, ArcSight, Voltage Security and Vormetric. Gretchen began her career in information security as a consultant specializing in security policy and security program development. Gretchen is a frequent speaker in the areas of evolving attack methods, operationalizing security policy, security management, regulatory compliance, data security, and security information and event management. She holds a B.S.E.E. from Santa Clara University.

Possibly Related Articles:
10213
Firewalls Network Access Control Enterprise Security Policy
Information Security
Virtualization IT Security BYOD Gretchen Hellman
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.