The digital revolution is transforming every aspect of the economy and the technology platforms that all our businesses and services run on.
For CEOs, CIOs and enterprise security experts, it presents unique opportunities and challenges. The opportunities are well known – the creation of new products and services, and even whole new industries. Digital levels the playing field and allows ambitious and innovative start-ups to challenge powerful incumbents in existing markets and define new markets that well-established organisations are forced to respond to.
The challenges posed by the digital revolution are well known as well, and they stem from its very essence – data. Data is the fuel and the currency of the digital revolution, but the more data is gathered, aggregated, analysed and shared, the greater the risk of its misuse.
Nevertheless, though digital poses new security risks, it also offers a platform to revolutionise security, so it is embedded, from the start, into the design of new products and services, rather it being a bolt-on addition, as is too often the case in the analogue world. And, with digital effectively breaking down what remains of traditional enterprise parameters, the new security architectures digital enables must be accompanied by new security technologies and partnerships, if organisations are to survive and thrive in the digital world.
The responsibility for improving security starts and finishes in the boardroom. The World Economic Forum, which gathers the great and the good of the political and business world each winter in Davos, this year published a major report, “Advancing Cyber Resilience Principles and Tools for Boards”, warning that: “If strategic guidance … is not set at the governance level, then an enterprise cannot ensure its own cybersecurity or resilience. Rather than implementing post hoc solutions to problems after they occur, boards and leaders must rapidly develop known capabilities to provide a sound baseline to surmount the challenges ahead.”
The last thing the CIOs and CISOs assigned to deliver that baseline need are traditional vendors’ messages of fear, uncertainty and doubt, or a sales pitch for niche, point solutions. On the contrary, they need a realistic view of the challenges the enterprises are facing, and concrete examples of how to overcome the challenges.
The risks remain ever-present and growing. In just five years, the World Economic Forum has expanded its list of threats. In 2012 the list included hacktivism, corporate espionage, government driven threats, terrorism and crime. The current list highlights dangers from disgruntled customers, human error, the supply chain, partner actions, insider action, hacktivism, crime, sabotage, corporate, espionage, terrorism, state action and force majeure.
Certainly, not every organisation faces all of these threats all the time. However, many attacks combine elements from several threat categories.
The recent WannaCry ransomware attack, for example, which hit more than 200,000 computers in 150 countries, including parts of the UK’s National Health Service, Spain’s telecommunications giant Telefónica, the global logistics firm FedEx and Germany’s state railway Deutsche Bahn, was a complex combination of several threat vectors.
The fundamental reason why the attack was so effective was the failure to patch old Microsoft Windows operating systems. What made the attack have such big impact was the combination of pure criminality, human error, supply chain and partner actions. You could also, arguably, add state action to the mix. The US National Security Agency discovered the flaw that WannaCry exploited and omitted to tell Microsoft. Then it developed a tool to use the vulnerability for its own offensive purposes, which leaked onto the Dark Web.
Dig deeper into the WannaCry ransomware fiasco and, as Forrester’s analyst Chase Cunningham argues in an angry blog post: “It’s not the people, it’s not the technology, it’s not the systems, or the endpoints, or the networks that is the end game in this ‘hack’; it’s the data. If the bad guys can get to the data, be it a file or a database, or … (wherever) else the data is, that is where the threat is.”
The answer, then, is to protect the data.“And the beauty of this approach is that data is defensible, we can encrypt it, manage access to it, segment it (and) protect it,” adds Cunningham.
This data-centric approach is essential as enterprises embrace the core digital technologies of social, mobile, analytics and cloud. The explosive growth of the Internet of Things and the development of an API-driven infrastructure and of a platform-economy make securing the data, rather than focusing on the organisational perimeters, even more important.
New security architectures necessitate innovative approaches to the procurement of security products and services. Already enterprises are consolidating or eliminating point solutions in favour of unified suites and looking to new partners, often cloud-based managed services, for help.
As analyst group Forrester put it in a recent “Forrester Wave: Cloud Security Gateways” report:
“As on-premises network security tools become outdated and less effective, improved behavioural and cloud malware detection and data loss prevention will dictate which providers lead the pack. Vendors that can provide data encryption, a large implementation and a partner ecosystem position themselves to successfully deliver cloud security to their customers.”
The report cited Symantec’s Cloud Security Gateway product as a market leader, highlighting particular strengths in proxy-based and API monitoring of cloud platforms, including Amazon Web Services and Microsoft Azure, and in cloud applications. Strong protection of structured data in applications such as Salesforce was also noted, alongside a wide selection of encryption and decryption policy options.
Other crucial security technologies for cloud and digital include anomaly detection, tokenisation and multi-factor authentication, but new technical solutions are only part of the answer.
“Enterprises also need a strategic shift from a reactive to a proactive cyber-security strategy,” argues Robert Arandjelovic, EMEA Director of Product Marketing at Symantec. This requires continuous assessment of threats and activity on systems and networks, and mitigation of risks that have been defined by the business in partnership with the CIO and CISO.
This approach lies behind a new partnership between Symantec and DXC Technology, the leading IT services company. Both organizations operate in an open ecosystem, using a wide variety of toolsets and partners. Symantec’s technical ability combined with DXC Technology’s consulting and business change prowess and its own technical capability, can offer new skills and services to firms looking to speed up their cloud and digital transformation journey.
Faced with the digital revolution, business and technology leaders want to know what good security looks like and how to build it in from the very start of their transformation programmes. CIOs and CISOs who can show the way, will be well placed to lead their organizations towards the exciting, data-driven future ahead.