Originally posted @ Gigaom Research 9/7/2014
Security, or Information Security (InfoSec) as the more formal term, is going through a period of massive change. In recent months, the public has become keenly aware of the risks from Information Security. Public security issues at Target, UPS, Apple’s iCloud, Home Depot and the government’s Healthcare.gov website moved the security awareness front and center for the general public. When considering the reach of these companies, statistically speaking, it is highly probable that one or more of these issues has affected most in the US.
At a recent conference of CIOs, Chief Information Security Officers (CISO), CEOs and security experts discussed the challenges all companies face. One expert noted that security is a balance between privacy and security. While that may be true, risk also must be considered along with cost. One could argue that ethics may or may not play a role in the decision too. While somewhat unrelated, it does bring to mind the case study of the Ford Pinto. The decisions made can impact a great number of people.
Security’s big data problem
Today’s security problem has evolved from the days of firewalls and virus protection. Today’s security problem is far more complex and involves people, mobile devices, unsecure networks, complex applications and subtle footprints. These subtle footprints, while independently insignificant, point to a larger issue when considered with other data points.
Collaboration, whether within a company or across companies is key. Competitors within a single industry are even starting to collaborate on security issues. In addition, the volume of data being analyzed is really a big data problem. No longer are the days where just looking for a certain ‘signature’ will suffice. Threats are far more sophisticated, clever and adaptable.
Reducing the risk footprint
One way to break down the problem is to look across the enterprise and break down the risk footprint. The risk footprint is the area that is most sensitive to the enterprise. It may refer to systems, applications or data. Simply treating all systems, networks, applications and data equal, creates a fairly daunting problem. In addition, the problem is only getting more complex, not simpler. Reducing the footprint allows the organization to understand the varying degrees of risk and bring attention to those areas that need it. In many ways, it provides clarity for the organization to focus on the crown jewels.
Defining the crown jewels
As with any assessment, understanding what is critical is key. According to Alex Stamos, Yahoo’s CISO, “Nobody but Microsoft is qualified to run Exchange today.” One could argue with that statement in the past. Today, one would be hard-pressed to argue, as Exchange gets increasingly more complex and becomes more of a utility to companies rather than a strategic differentiator. It is those more sensitive areas that one needs to focus on.
New threat vectors
In addition to commercial applications like Exchange, the IT organization needs to consider (relatively) new potential threat vectors from open source software and Internet of Things (IoT). Open source software is not new. However, it is gaining wider appeal in the enterprise IT organization. According to Tom Reilly, CEO of Cloudera, “400 people look at commercial software versus open source where 4 million people look at it.” Even major companies such as Salesforce take an ‘open source first’ approach with software.
Open source is not the only new tool in the shed getting the InfoSec attention. IoT is both exciting and scary at the same time. Unlike traditional IT systems, networks and applications, IoT presents an exponentially complex problem for security. Concerns circle around IoT being built on a broken foundation that was not built for IoT. PG&E, the main power and gas utility in the San Francisco Bay Area is concerned about security and IoT with their smart meters. PG&E uses IoT to evaluate the validation of devices and data coming in to avoid fake power outages. Without validation, the ramifications could be huge. And that is just the start. What happens when IoT devices such as wearables become more commonplace, but not updated. Each of those could present a growing threat.
The sky is not falling
According to Yahoo’s Stamos, “There is nothing that Yahoo can buy today to solve the problems.” The panel of security experts mentioned that when considering threats from nation states, there are only 30-40 Fortune 500 companies that are keeping up.
With all of the concerns, one could easily become paranoid. It is good to keep a healthy degree of concern around security, but support innovation and new paradigms. Cyber security is not going away, it is just going to evolve. Today’s CIO and IT organization needs to understand, stay on top of and adapt accordingly.