The digital revolution is transforming every aspect of the economy and the technology platforms that all our businesses and services run on.
For CEOs, CIOs and enterprise security experts, it presents unique opportunities and challenges. The opportunities are well known – the creation of new products and services, and even whole new industries. Digital levels the playing field and allows ambitious and innovative start-ups to challenge powerful incumbents in existing markets and define new markets that well-established organizations are forced to respond to.
The challenges posed by digital are also well known and they stem from its very essence – data. Data is the fuel and the currency of the digital revolution, but the more data is gathered, aggregated, analysed and shared, the greater the risk of its misuse.
Nevertheless, though digital poses new security risks, it also offers a platform to revolutionize security, so it is embedded, from the start, into the design of new products and services, rather it being a bolt-on addition, as is too often the case in the analogue world. And, with digital effectively breaking down what remains of traditional enterprise parameters, the new security architectures digital enables must be accompanied by new security technologies and partnerships, if organizations are to survive and thrive in the digital world.
Responsibility for security starts and finishes in the boardroom. The World Economic Forum, which gathers the great and the good of the political and business world each winter in Davos, this year published a major report, Advancing Cyber Resilience Principles and Tools for Boards, which warns:
“If strategic guidance … is not set at the governance level, then an enterprise cannot ensure its own cybersecurity or resilience. Rather than implementing post hoc solutions to problems after they occur, boards and leaders must rapidly develop known capabilities to provide a sound baseline to surmount the challenges ahead.”
For the CIOs and CISOs tasked with delivering that baseline, the last things they need are traditional vendors’ messages of fear, uncertainty and doubt, or a sales pitch for niche, point solutions. Rather, they need a realistic view of the challenges that enterprises face, and concrete examples of how the challenges can be overcome.
The risks remain ever-present and growing. In five years, the World Economic Forum has expanded its list of threats, which in 2012 included hacktivism, corporate espionage, government driven, terrorism and crime. The current list highlights dangers from disgruntled customers, human error, the supply chain, partner actions, insider action, hacktivism, crime, sabotage, corporate, espionage, terrorism, state action and force majeure.
Of course, not every organization faces all of these threats all the time, but many attacks combine elements from several threat categories.
The recent WannaCry ransomware attack, for example, which hit more than 200,000 computers in 150 countries, including parts of the UK’s National Health Service, Spain’s telecoms giant Telefónica, global logistics firm FedEx and Germany’s state railway Deutsche Bahn, represented a combination of threat vectors.
The fundamental reason why the attack was so effective was the failure to patch old Microsoft Windows operating systems. But issues that gave it such an impact were a combination of pure criminality, human error, supply chain and partner actions. You could also, arguably, add state action to the mix. The US National Security Agency discovered the flaw that WannaCry exploited and omitted to tell Microsoft. It then developed a tool to use the vulnerability for its own offensive purposes, which leaked onto the Dark Web.
Dig deeper into the WannaCry ransomware fiasco and, as Forrester analyst Chase Cunningham argues in an angry blog post: “It’s not the people, it’s not the technology, it’s not the systems, or the endpoints, or the networks that is the end game in this ‘hack’; it’s the data. If the bad guys can get to the data, be it a file or a database, or … (wherever) else the data is, that is where the threat is.”
The answer, then, is to protect the data, “and the beauty of this approach is that data is defensible, we can encrypt it, manage access to it, segment it (and) protect it,” adds Cunningham.
This data-centric approach is essential as enterprises embrace the core digital technologies of social, mobile, analytics and cloud. The explosive growth of the Internet of Things and the development of an API-driven infrastructure and of a platform economy make securing the data, rather than focusing on the organizational perimeters, even more important.
New security architectures necessitate innovative approaches to the procurement of security products and services. Already enterprises are consolidating or eliminating point solutions in favour of unified suites and looking to new partners, often cloud-based managed services, for help.
As analyst group Forrester put it in a recent Forrester Wave: Cloud Security Gateways report:
“As on-premises network security tools become outdated and less effective, improved behavioural and cloud malware detection and data loss prevention will dictate which providers lead the pack. Vendors that can provide data encryption, a large implementation and a partner ecosystem position themselves to successfully deliver cloud security to their customers.”
The report cited Symantec’s Cloud Security Gateway product as a market leader, highlighting particular strengths in proxy-based and API monitoring of cloud platforms, including Amazon Web Services and Microsoft Azure, and in cloud applications. Strong protection of structured data in applications such as Salesforce was also noted, alongside a wide selection of encryption and decryption policy options.
Other crucial security technologies for cloud and digital include anomaly detection, tokenization and multi-factor authentication, but new technical solutions are only part of the answer.
Enterprises also need a strategic shift from a reactive to a proactive cybersecurity strategy, argues Robert Arandjelovic, EMEA Director of Product Marketing at Symantec. This requires continuous assessment of threats and activity on systems and networks, and mitigation of risks that have been defined by the business in partnership with the CIO and CISO.
This approach lies behind a new partnership between Symantec and DXC Technology, the leading IT services company. Both organizations operate in an open ecosystem, using a wide variety of toolsets and partners. Symantec’s technical ability combined with DXC Technology’s consulting and business change prowess and its own technical capability, can offer new skills and services to firms looking to speed up their cloud and digital transformation journey.
Faced with the digital revolution, business and technology leaders want to know what good security looks like and how to build it in from the very start of their transformation programmes. CIOs and CISOs who can show the way, will be well placed to lead their organizations towards the exciting, data-driven future ahead.