Posted onin IT Infrastructure and Operations
Experts are having to radically rethink security because of mobility, cloud computing, social media, and other new technological forces. A principal reason for this is quite simply the pace of change. The rapidity with which technologies are being developed and deployed is unprecedented. A security professional likes to deliberate, weigh risks, and take measured steps. But the rate of adoption of newer technologies reduces the time available for threat analysis and strategizing.
These new technologies are not going away, so what is at issue for security professionals is the manner of their implementation. Implementation must be done intelligently, out of the recognition that investment in early detection and prevention is more cost-effective than cleaning up after a breach. Experts insist that security measures, both technological and managerial, must be put in place at the very beginning, not at the end of the implementation process. Functionality and time to market cannot be the exclusive considerations. Social networking Web sites can be indispensable, but processes and policies must be clearly laid down for proper implementation of the technologies. Those just jumping on the bandwagon are assuming extraordinary risk.
Security is about the translation of fear into behavioral change, a translation security professionals have yet to master. Despite a relatively high level of awareness, all of the educational resources available, half of twenty-two million computers examined in a recent study were infected. Data breaches are epidemic, but there has been no corresponding increase in security spending. The businesses that learn of problems elsewhere tend to be unfazed by the knowledge. It is only when there has been a crisis in-house that mobilization occurs.
This phenomenon is a genuine hindrance to security experts who would take the case for investment to decision makers. Few things are as clear-sighted as disillusionment, but at this point it is already too late. One cannot wait for an incident or for the compilation of statistics. Threats are omnipresent, and new ones are emerging daily. While it is often helpful to consult the history of new technologies and risk, threats must be anticipated very precisely in the absence of irrefragable proof. It is the case also that the numbers presented to executives are soft anyway. This is because they are typically generated through self-reporting. The numbers available about the healthcare industry are more reliable but only because of mandatory reporting requirements. In making the case for security investment in the past, experts could avail themselves of better numbers and a risk that was easier to quantify. Much more of the risk today falls under the rubric of the unknown. 911 and similar events all around the world have reminded the security community of the unavoidable need to be forward-thinking, to distinguish fine shades of plausibility–for speculative today’s security professional must be. What counts as rational is being reexamined. According to Richard Dorough, CISO at Textron, the security experts on watch at the time of 911 exhibited rational behavior “given past incidents, but they were woefully unprepared for the prediction of new threats.” The behavior of decision makers has yet to change sufficiently, and the necessary reliance of security experts on a qualitative rather than a quantitative assessment method suggests mutual misunderstanding and a credibility gap will characterize the relationship between executives and security professionals for some time to come (00-15).
Another crucial factor has been the change in the nature of the threat external to an organization. Typical in the past was the lone wolf craving fame, stealing data, or committing relatively pointless vandalism. The trend now is toward organized cyber-crime, maximally elusive and not infrequently involving state-sponsored intelligence agencies. According to Peter Heim, CISO at Kaiser Permanente, “We have a more formidable external threat as well as the challenge of keeping abreast the incredible velocity of change for newer, more aggressive technologies, and this sometimes puts us on our heels.”