A new Dell-sponsored whitepaper by InsightaaS ‘connects the dots’ between IT security practices and business success. The paper, which includes research conducted by Techaisle, InsightaaS models and analysis and perspectives from sources like McKinsey & Company and Dell CSO John McClurg, highlights the key issues linking sound IT security with business agility through use of several “good news/bad news” perspectives on security in a business context.
The first section of the “Success and profitability: Security and the value of IT/business solutions“ report examines the growing business importance of technology. Data from a Techaisle survey of 635 Canadian IT decision makers (ITDMs) and business decisions makers (BDMs) representing businesses ranging from 1-999 employees shows that half of all organizations view current IT developments as having a ‘high’ impact on their operations, with another one-third believing that advances in IT have a ‘somewhat high’ impact; only 6% believe that advances in IT have a ‘low’ impact on their businesses. This emphasis on IT in a business context is supported by InsightaaS statistics showing that approximately 6% of Canadian GDP is allocated to spending on IT acquisitions and operations, and by an InsightaaS model indicating that the presence of IT is expected to become much more widespread, as new cloud-based technologies “enable automation in areas that previously could not be addressed,” enabling cloud-savvy firms to “gain new capabilities, improve process efficiencies and/or reduce costs much faster than their competitors.” The good news/bad news analysis closing this section points out that “business are investing heavily” in IT, which is established in virtually every sectors as “business-critical infrastructure” — but that “interruptions in IT service will be felt, clearly and immediately…the impact of IT failure has expanded tremendously.”
The observations regarding IT interruptions and failure act as a bridge to the second section of the report, which examines the downside of connected systems. Here, a complex graphic from Information is Beautiful illustrates the trend towards more and larger data breaches, and to a general trend towards criminals rather than inadvertent errors being the cause of information leakage. The visual is backed by analysis from McKinsey & Company and by Dell Chief Security Officer John McClurg, who is quoted as saying “It doesn’t matter if you are small or large, it’s not a matter of ‘if’ you are going to be compromised, it’s ‘when’.” McClurg also debunks the common (within the SMB community) notion that it is possible to achieve “security through obscurity;” he points out that in an interconnected world, each business is a potential point of penetration for a supplier or customer. SMBs might end up as collateral damage rather than as primary targets, but the disruption to the business will be severe either way.
Additional Techaisle data illustrates the impact of data breaches on SMB businesses. Survey findings show that Canadian ITDMs and BDMs believe that a security breach would damage customer trust in their companies, and would have a negative impact on customer privacy; that it would damage their companies’ reputations and bottom lines; that the reputations of IT and business professionals would suffer; and that a breach would negatively impact regulatory compliance. The ‘good news/bad news’ summary for this section reflects this stark perspective. Only one item — the potential for increased business management appreciation for security that may follow complexities associated with shadow IT deployments — appears on the list, opposite such tangible ‘bad news’ items as threats associated with increased use of connected systems, the increasing diversity of access points, the rising value of (and as a result, criminal interest in) corporate data, and the exposure associated with breaches. The concluding ‘verdict’? “The threat landscape is more pernicious than ever — it is getting ever-thornier…and the downside is worse than ever before.”
With both the upside of the value of IT/business solutions and the malevolent threat environment defined, the report delves into a concluding section on IT security options and their associated business benefits. InsightaaS unveils a multi-layer security model that addresses the needs — and the realities of current resources, both financial/technological and people — of Canadian SMBs. The approach includes guidance calling on SMBs to:
- Secure the perimeter. Quoting McClurg’s mantra of establishing a “minimally essential core,” InsightaaS urges SMBs to use technologies like firewalls to protect in-transit data, and anti-malware on client devices. This is the most common approach to security, and it is important — but it is the first step, not the end of the journey.
- Secure at-rest data. Encryption has long been viewed as a technology that provides a desirable result, but which extracts a heavy toll in terms of processing and response time. With faster clients, faster servers and storage, and faster networks, though, encryption is not the bottleneck it once was — and with the rising value of corporate data, the value of encryption has increased as well. SMBs should also invest in data loss prevention (DLP) technology to secure data resident on mobile devices. IT management has a third task, too: it is important to segregate internal networks, separating data into discrete domains, so that “if” (or in McClurg’s words, “when”) an organization’s perimeter is penetrated, hackers do not gain access to all corporate information.
- Protect against employee vulnerabilities. Most security defences are designed to stop external threats, but employees themselves are a major source of security vulnerability. Employee leaks can occur in two ways, through negligence/error or as a result of malfeasance. IT management can reduce leaks attributable to negligence/error through effective policies (and policy enforcement), training and awareness campaigns. An employee who has decided to steal corporate data can be a more difficult threat to protect against, though there are some tools emerging — such as analytics tools that look for possible malfeasance in data access and management patterns — that can help IT management to derail an “inside job.”
- Apply intelligence widely in the security process. The best complement to McClurg’s “minimally essential core” is a connection to global security services (such as Dell’s SecureWorks CTU Threat Intelligence services) that provide up-to-the-minute information on emerging threats, allowing SMBs to align their ‘shields’ to intercept threats before they reach (and breach) the perimeter.
- Integrate within and across the four layers. The final piece of the InsightaaS security framework isn’t an additional type of security technology, but rather, a requirement to ensure effective integration within and across the layers. The evolution of the threat landscape has created a need for organizations of all sizes to understand and deploy systems that intercept threats at the perimeter of the network, that protect network-resident and device-resident data, that secure against careless or malicious employees, and that use a network of sophisticated intelligence services to identify emerging threats and effective responses. Each of these solution types provides real benefit — but the combination of technologies used to access data, and the combination of technologies and processes used to secure that information, creates many potential gaps in a corporation’s IT armour. IT management’s challenge is to connect these resources so that there are no gaps within or between the four layers. The data on intrusions shows clearly that defenses will be probed constantly for weaknesses; IT management needs to ensure that there are no missed connections that provide ready access for a determined intruder.
In the final analysis, it isn’t possible to portray IT security as purely a ‘good news’ or ‘bad news’ story. The threats are real, and increasing in complexity and severity. At the same time, though, the tools used to deal with these threats — including technology, services and IT processes — are advancing as well. McKinsey makes the point that “cybersecurity…is a CEO-level issue.” This may or may not be true, but it is apparent that improving business agility is a CEO-level objective, and that companies who employ effective framework-level approaches to security will be better able to introduce new IT-enabled business capabilities than those that need to reconfigure their “shields” each time they adopt a new application, data service or device type. In the end, as the whitepaper’s final good news/bad news assessment observes, “the challenge is real and substantial — but with senior executive visibility and support, better tools and a strong support community, IT security managers are well positioned to drive success and profitability!”