Today’s threat landscape is nothing like it was 10 years ago – simple attacks that caused containable damage have given way to modern cybercrime operations that are sophisticated, well funded, and capable of causing major disruptions to organisations and the national infrastructure. Not only are organisations facing the traditional information security risks, but as many leverage digital technologies to innovate and adopt new ways of working, they are becoming exposed to new cyber threats and security structures are becoming more vulnerable than ever before.
Not enough to be compliant
IT leaders are responding accordingly, with security topping the list of CIO priorities this year and many organisations increasing security spending. But it seems that many IT and security professionals are ill informed when it comes to what constitutes an effective security strategy. Security vendor Vormetric recently conducted a survey of more than 1,100 Chief Information Security Officers at global enterprises, and found that a majority are approaching security as a compliance exercise. Despite the fact that 91 per cent of those polled believe their organisations are vulnerable to internal or external data threats, 64 per cent view compliance as “very” or “extremely” effective in staving off data breaches. One recent CIO Magazine article suggests the reason for this is that IT leaders are underestimating the impact of security breaches on their organisations, and are subsequently underestimating what it takes to prevent and control them.
In the same way, the 58 per cent of CISOs who said they plan to increase spending on security this year are motivated by compliance concerns, with much of their budgets going towards stronger perimeter defences such as network and endpoint security, as well as security incident and event management (SIEM). This trend is supported by another study conducted by Piper Jaffray, this time surveying CIOs, in which 82 per cent of respondents stated that they intend to spend more money on security, in particular on endpoint security. As Vormetric’s CSO states, “Compliance does not ensure security. It’s a bare minimum of security you should have in place”.
A new approach to security
The organisations that are most at risk of data breaches are those that view security’s role as solely to defend against threats. Security must be recognised as enabling the business, ensuring not just protection but business continuity and mitigation. It’s no longer a function that resides solely with the IT department – in order to create a security strategy that respects the legitimate business concerns of access and usability, collaboration with the business is necessary. Support is needed at the senior levels so information security gets the focus and attention it needs. Organisations that integrate best security practice into their processes from inception onward will limit the scope and damage of attacks. Where an organisation has systematic plans to defend, identify, remediate and recover from attack, they will be able to focus on core business with some certainty.
The three fundamental tenets of best security practice are:
- Visibility – in order to be able to identify the impact of threats, it is important to know how and when they are occurring. Centralising various sources of data into a security monitoring system enables actionable insight into possible anomalies.
- Continuity – the focus in IT security needs to shift to controlling and managing breaches, as organisations aim to trace and mitigate business impacts from attack.
- Mitigation – mitigation is focused on how attacks and breaches can be limited during and after the fact, but the key to these techniques is to plan ahead and deploy robust controls in advance.
In this uncertain security landscape, organisations can’t afford to be complacent with the safeguarding of their sensitive data. It is simply not enough to be compliant – modern security strategies must be ‘baked’ into an organisation’s infrastructure and services, and must be considered from the business requirements and design stages through to implementation and operation.
Learn more about the importance of a business-centric security strategy, and the steps to implementing such a strategy in your organisation, by downloading our complimentary whitepaper: ‘Security in a world with no perimeters: a business-centric security architecture’.