Given today's evolving threat landscape, it's understandable that organizations want to take a proactive approach against threats, create an environment of continuous compliance, and have responsive IT operations processes. Organizations want to reduce risk exposure and the attack surface, detect and respond to advanced threats, and drive down security operations costs. The reality is a multitude of pressures hamper an organization’s ability to fulfill those objectives, and they aren't going away anytime soon. Drawing from conversations I’ve had with many leading security practitioners and executives at various commercial and public institutions, I see five key challenges that organizations must address in order to optimize their security and compliance programs.
Challenge #1: The Recognized Impact of a Security Breach
The seemingly endless news cycle of data breaches has alerted organizations, including executive and board management, to the importance of security and the fear they might be next. Last year, over 82 percent of respondents to a Tripwire survey thought it was likely their organization would experience a breach. It's not surprising then that more than three quarters (78 percent) of boards are concerned with computer security today, according to a joint study conducted by ISACA and RSA. This heightened attention is due, in part, to the costs of computer crime, which the Center for Strategic and International Studies estimated to be around $445 billion annually. Unfortunately, that total is expected to increase each year as organizations process and store more information, and as cyber-crime becomes more pervasive and of higher impact. Cyber-crime continues to escalate in frequency, impact and sophistication and threatens enterprises regardless of size and sector. A data breach or intrusion can cause an organization to lose customers, revenue, and reputational value, experience loss of operational continuity and question the integrity of its data. For some businesses, those losses would range from costly to downright irreversible.
Challenge #2: The Skills Gap
One of the contributing and elevating factors to rising breach costs is the ongoing InfoSec skills gap. In the ISACA/RSA study I mentioned above, 52.44 percent of respondents felt that less than a quarter of their organizations' employees are qualified for their positions. Those respondents also identified security practitioners' ability to understand the business as the largest skills gap. This problem poses a serious risk to an organization. If security practioners don't fully understand the nature of their business, security and business personnel will fail to see how each asset is relevant to the support of an organization's mission. That means they won't grasp the relative business importance of protecting each asset, which will hamper their ability to reduce threats and mitigate risks. And, while skilled professionals might be in high demand these days, there simply aren't enough InfoSec folks to go around. A 2014 study estimated that though there was a global need for as many 4.25 million security professionals, only 2.25 million practitioners were currently engaged in the field. The skills gap poses a double-risk to organizations. Not only are information security practitioners in short supply, but skilled personnel are even rarer. Each business needs to address this hiring and skills challenge head-on if they're to shore up their data security.
Challenge #3: The Explosive Growth in Endpoints
Long ago network designers pondered the prospect of toasters on Ethernet. As entertaining as that notion was at the time, technology has now demonstrated that just about everything is now, or shortly will be, connected, accessible, serviced and controlled from the network. This explosion of connected devices and assets introduces an incremental scaling problem that dwarfs most of our earlier security and compliance models and predictions, toasters notwithstanding. Now more than ever, it's imperative that we have educated, skilled security personnel who can safeguard the modern IT environment's diverse array of endpoints at the scale we see now, and will see in the future. This wasn't as great of a problem back in 1992, when IT professionals could use antivirus software to protect PCs from most digital threats. But now some 22.9 billion endpoints are up and running on organizations' networks, and according to a Cisco report, that number is expected to double by 2020. The effort needed to protect so many devices can drive up security operations costs and stretch any organization's ability to make sure each device is compliant with industry standards.
Challenge #4: The Digital-Physical Convergence
The number of endpoints are proliferating across all sectors of the economy, including financial services, retail, food and beverage, industrial, energy, oil/gas, automotive, transportation and utilities companies. These organizations are responsible for maintaining critical national infrastructure including transportation systems, power plants and transmission systems, durable goods and food manufacturing and processing and distribution facilities, which means that any threat to their endpoints could potentially disrupt the economy or cause harm, including physical harm, to citizens. In the event that an industrial organization becomes aware of a vulnerability in Industrial Control Systems (ICS), they will likely apply countermeasures, perform hardware repairs and make sure there are no software conflicts before taking any further action. This is because hardware issues in industrial control systems are significant; they can cause power outages, reduced industrial output, and other adverse downstream effects in a production system that is highly optimized and has limited tolerance for disruption. Meanwhile, enterprises are most concerned with privacy and ensuring a set of rules limiting unprivileged users' access to information. They dedicate much of their information security programs to information confidentiality in order to protect against a breach. These different IT and OT priorities were once isolated, yet in light of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), we're beginning to see a convergence where enterprise and industrial teams must work together to streamline their services. It stands to good reason they should also align on the protection of critical infrastructure. Going forward, companies will need to consider systems and all endpoints in IT, IoT/IIoT as they balance their priorities and explore how they can leverage safety, a common-ground objective for all types organizations, in order to forge productive partnerships.
Challenge #5: Security and Technology Is Changing Rapidly
As the digital-physical convergence illustrates, threats do not apply to organizations uniformly. Security takes on different forms and dimensions from one business to another, which means "security-in-a-box" solutions may be part of the answer, but rarely are the complete answer to keeping systems and data safe. Security has to evolve to meet today’s sophisticated threats. The solutions we used last year, or the year before, need to be re-assessed, relative to their current value proposition. Some of those technologies and vendor partnerships will transcend into the future intact and/or with improved value proposition(s). Others will not fare as well, and will need to change and adapt (some radically so) if they are to offer value now and into the future, and survive. We’re already seeing seismic shifts now in the vendor community; vendors long considered leaders in the space have lost their standing, and new vendors are taking their place. In any case, solutions need to adapt to accommodate the current and future needs of an organization. Collectively, security solutions need to make it easier for companies commonly share threat intelligence with each other and other industry members. Of course, these changes can make it difficult for organizations to invest in security. Navigating all the different packages and configuration options can get confusing, after all. As a result, organizations need to develop a rich, contextual picture outlining what they want in terms of security. This should involve identifying the critical assets that need the most protection as well as which technologies, people, and other resources necessary to help get the job done. One crucial, or requisite, point of reference is the security framework. Most organizations should adopt one, just as all commercial and public organizations observe standard financial reporting frameworks and protocols. Any one of the publically available security frameworks such as NIST, Gartner’s PPDR, CIAS, ISO27001 etc. can work. Once a framework is selected, it will need to be calibrated and tuned to the specific requirements of the organization and its commercial eco-system.. Adoption of the selected framework will require a good plan, strong investment (and possibly re-allocation of funds), good partners, execution, and time.
Conclusion
Though some might like to think otherwise, these five challenges – affectionately referred to as “the five monkeys” - aren't going away anytime soon. With that in mind, organizations need to adopt a forward looking plan that takes these factors into account. They need to prepare to manage and mitigate the escalating security, compliance an operational risks these trends will engender. This process should include:
- Accurate assessment of the business’s needs relative to IT and IoT/IIoT, using a risk-based orientation.
- Adoption and application of an appropriate standards-based framework.
- Creation or adjustment of your security and compliance architecture.
- Selection of strategic vendors/partners whose technical abilities, strategic vision, and commercial strength and viability, will support your architecture and whose core capabilities address the challenges these trends present to your organization.
- Development and phased implementation and deployment of your security and compliance plan, prioritized by business risk.
- Implementation or expansion of your continuous monitoring, response and calibration programs.
At the end of the day every organizations needs to expand their understanding of the scale and complexity of the task at hand given these trends. This understanding will broaden the scope of security programs so they encompass the entirety of their environment and include long range plans designed to mitigate the risks these trends create. Now, more than ever, it’s important to take a pragmatic, proactive approach to cyber security and compliance, instead of wrestling with monkeys.
About the Author: Gus Malezis is President of Tripwire and began his career in technology 30 years ago with roles at companies including Merisel, 3Com and McAfee. In 2005, he joined nCircle as Vice President of Worldwide Sales and retained that role at Tripwire following its acquisition of nCircle in 2013. Mr. Malezis’s ability to successfully lead organizations in the ultra-competitive vulnerability and security configuration management at nCircle made him a natural fit to lead Tripwire’s next phase of growth. Mr. Malezis attributes the exponential growth he’s delivered during his tenure with Tripwire to first rate products and services, along with a world-class customer service, support and sales organization.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
