Monday, April 13, 2015

Creating safe and secure enterprises

Information and Cyber security is becoming a big topic of discussion extending beyond IT; in recent times it has definitely caught the attention of many country heads – Presidents and Prime Ministers alike. Conferences and Summits are being organized with discussions and debate around how to protect sovereign interests and secrets in many parts of the world. It is thus surprising that beyond a few industries like telecom and collectively the BFSI companies, there is very limited traction with CEOs and Boards.

Security breaches are increasingly creating adverse impact on enterprises; many high profile incidents have heightened awareness globally thereby removing the excuse of ignorance for decision makers.  Thus manifestation of interest is easily discerned by the presence or absence of a security function, irrespective of whether it reports to IT or not. Recent survey by global consulting companies indicate improvement over the years though the gap is still quite large to give comfort. Why the indifference or inertia ?

If we go back in time, systems were islands of information; information was exchanged between systems manually or through physical electronic media. Soon there was a way to connect multiple computers and they talked to each other within the computer room or data center. Improvements in telecom networks introduced the ability to connect distant locations though still within the enterprise. The advent of long distance data networks and the internet introduced new possibilities to connect with external stakeholders.

Standardization of data formats and published formats like EDI, XML, and integration using published APIs created new business models as well as collaboration opportunities with Extranets and Exchanges. The interconnected world also brought with it crooks, rogues, greedy and the disgruntled who wanted to disrupt business as usual and profit from enterprise loss. The industry responded with solutions to prevent intrusion, hacking, sniffing, direct and indirect attacks, attempting to create a shield around the end points and the transport layer.

IT was chastised for writing insecure programs that could be broken; they were never expected to write code that would be subject to threats from within or outside as their starting point was information islands. Remedial action demanded layers around the information while business upped the ante to demand information anywhere, anytime, for everyone. Moving from offline transactions to real-time information flow, programs were patched, retired, replaced and then left to run on uncontrolled machines thanks to BYOD.

Conventionally adopted protection technology solutions have been compromised; new vulnerabilities are being discovered every day. Patching remains the solace of the susceptible which lags the threats and their discovery. Evolution of defense strategies offers newer ways to safeguard the data but they come with a cost that is unpalatable to many enterprises. Challenge lies in non-existent to thin security budgets. Business expectation of quick and dirty solutions does not allow for adequate time to create secure solutions.

In conversation with a few CXOs, they expected regulators to enforce spends on security; according to one, spends will stay muted unless it is mandated. Another had instructed his CISO to find low cost or open source solutions; alternatively to selectively deploy security for specified endpoints or applications leaving the rest protected with basic anti-virus. To him no evidence of leakage imprtlied that all systems are well protected; head in the ground appears a good way of declaring enterprise information assets secure.

It is contingent upon senior enterprise leaders, CXOs and Boards to take up the cause and demonstrate leadership starting with visible endorsement of security for all information assets. Risk Committees are at risk should a breach become high profile with loss of credibility and customers losing trust. Recovery from such incidents can be long and painful consuming higher budgets and efforts than planned interventions; and when something does go wrong, necks roll. There are many examples of breaches claiming CIOs and CEOs tainting their illustrious careers.

It is upto IT organizations to include security by design into every new system they plan to build or buy. New technologies do offer opportunities to create secure solutions and they do not necessarily come from current industry leaders in solutions or security. The world is connecting in a way never imagined before. Collaboration has extended beyond B2B, B2C, C2C, E2C, C2C, to M2M, and new paradigms are created every day. Reality is the innovation wheel is spinning faster and faster, where are you in the game ?

Someone had quipped “You cannot do today’s job with yesterday’s tools and expect to be in business tomorrow”. And I agree, do you ?

1 comment:

  1. Hi Arun, Extremely good article. However in my experience still a long way to go in terms of organizations treating IT security seriously.
    If one cuts corners around security then vulnerabilities are bound to arise.
    I am appalled at the way even some financial institutions are treating security initiatives.