Security is now a multidimensional, organisation-wide challenge, and it’s time for traditional IT security practices to catch up.
Firewalls, point solutions, and single-team approaches aren’t enough to combat the evolving nature of today’s threats. More users wielding more devices, torrents of data spread across the network, and hackers who never sleep mean IT security teams need all hands on deck. It’s time for a more holistic approach.
Here are three critical steps:
1. Address security—both outside and inside the perimeter
As recently as five years ago, the standard security protocol was to put everything behind a firewall. You needed to build protections for devices communicating outside the firewall, but any devices staying within your firewall were considered safe. This is still the dominant mindset today.
Perimeter security is critical—it filters out 98 percent of potential threats. But IoT and BYOD mean more devices are hooked into the network, and more devices provide more opportunities to breach the firewall. Meanwhile, hackers have gotten better at figuring out how to find open ports that allow them to bypass firewalls. It only takes one successful breach to cause big problems for the business. These days, it’s not if, but when an attack will occur. To minimise the response time and damage, segmenting your network and monitoring every connected device is critically important.
The higher number of devices within the network brings up a second factor—the user base. User activities are typically every security professional’s biggest challenge. The best firewall in the world can’t defend against a user clicking a malicious link or unknowingly providing sensitive data to the wrong person. Creating strong user policies and enforcing them with the authority of upper management should form the basis of a proactive, holistic approach to security.
2. Move from point solutions to proactivity
Many organisations address security challenges reactively or on a point-by-point basis. A breach happens, and they plug the hole. A vulnerability arises, and they apply a point solution to address it. But now, there are too many potential breach points and vulnerabilities that are too complex for a point-by-point strategy to be viable in the long term. As soon as you fix one hole, another one opens, because hackers never rest. Unlike office workers who end their work and head home at 6 p.m., hackers obsess over ways of breaching your security defences 24/7.
Security professionals need visibility across their entire network—not only on a day-to-day basis, but also on a minute-to-minute basis. Issues like governance and compliance make security needs even more comprehensive, because the potential risks to the business can include data loss, fines, and legal issues due to non-compliance.
3. Expand security beyond IT
Company leaders are finally beginning to understand how integral security is to running a smooth business. After all, a serious security incident has the potential to cease all operations. Security and IT teams are responsible for ensuring the business runs securely, but increasingly, security is also playing a role in helping the business to be more efficient.
As companies begin to clearly understand the challenge of maintaining security and invest in better resources, they should invite their CSOs and CIOs to join the board of directors to contribute to key decision making—and guide investment in the right resources. For their part, security and IT teams must strive to maintain the delicate balance between security and productivity. The highest possible security—disconnecting the entire network from the internet, for example—doesn’t always support the highest productivity. Security and IT teams should expect continuing collaboration with their company’s business leaders.
Security is always in flux
Whereas past IT security comprised a standard set of best practices, today’s security professionals must continually update their strategies and tactics, because that’s what hackers are doing. Security has transformed from an operational cost center to a strategic role, and it’s time for IT security professionals to own their input to the business’s success—if they can manage to stay on top of their game. Security is never going to be static, but that’s what makes the job exciting, right?