As more organisations progress their digitalisation strategies, it’s crucial that security is at the core of every business decision. Amrit Williams, VP Products, Skybox Security, tells us why security should be built into innovation to ensure the benefits of Digital Transformation can be effectively reaped.
Innovation is the lifeblood of business today. Organisations need to constantly innovate to enter new markets and provide new services – and do it better, and faster than their competition.
Digital Transformation, where technology is applied in creative ways to traditional problems, has aided the speed, agility and cost-effectiveness of innovation projects. However, it has more often than not pushed security to the sidelines.
Historically, the dichotomy between security and innovation has meant that if you want to move fast, you could get hurt; if you want to be secure, you’ll hardly move at all. As a result, innovation has regularly bypassed security teams, ignoring advice and shirking policy.
In the case of cloud migrations, operations teams often didn’t involve the security group at all, then decided a specialised security group was needed and finally arrived at the conclusion that cloud was a part of the infrastructure all along and the traditional security team should oversee these networks as well.
This lack of strategy to cloud migrations proved short-sighted and costly. It also could have opened organisations up to new cyber-risks, damaging attacks and regulatory violations. But a lesson should be learned from these mistakes.
Innovation will happen regardless of security’s involvement, but security is a critical element to the success of the initiative. Security should play an active role in innovation strategy and execution, advising on how best to achieve goals while minimising risk.
An era of tectonic change
Despite the newness of dynamic computing technology, in 2018, 77% of enterprises reported having at least one application or some portion of their enterprise computing infrastructure in the cloud. This means the network infrastructures on which enterprises are built have changed dramatically in a short period of time.
In addition to cloud adoption, other changes have contributed a network complexity unimaginable even just a decade ago. A global economy has made internationally dispersed, mobile workforces and outsourcing commonplace, creating countless connections which traverse many geographies – and regulatory mandates. And everything has gone digital, proliferating technology and systems that produce and manage data. In this environment, complexity has become the number-one issue facing the CISO.
Because of the scale and complexity of networks today, gaining visibility to understand and secure these infrastructures has become a bigger challenge now more than ever. Organisations struggle to answer what should be a simple question: what is it I’m trying to protect and how well is it being protected?
But if you can’t see it, you can’t tell if it’s secure. This lack of visibility makes security the department of ‘no we can’t’ because they can’t picture their security status as it is now, let alone how it will look throughout an innovation project. To be the department of ‘yes we can’ security needs to start with visibility.
Answering the first portion of the above question is difficult: What is it I’m trying to protect? You have to be able to establish and maintain a record of all the assets where data resides – whether its intellectual property, personal identifying information, financial records, email, etc. These assets should be categorised with appropriate business attributes and updated as the organisation changes.
Creating an accurate asset record becomes a major challenge for assets in the cloud, as virtual machines are spun up and down even on an hourly basis. Also, for critical infrastructure and manufacturing organisations who have operational technology (OT) networks, the scale of OT devices can dwarf that of IT assets even in major enterprises or government agencies. In order to maintain an accurate and complete asset record, data collection has to be automated.
Answering the second portion of the question – how well is it being protected? – is even harder because it requires insight into the assets as well as contextual understanding of their relationship to security controls and network paths.
For example, in order to understand the risk to any assets holding customer credit card information, you’d need to know which assets pertain to this data, their vulnerabilities, the threats leveraging those vulnerabilities and the security controls affecting those assets’ exposure to threats.
Exposure is the critical element of security status that is impossible to understand without insight into the relationship the assets and network infrastructure. It becomes especially important during times of change – such as cloud migrations, mergers and acquisitions – as attackers routinely use times of chaos as opportunities to slip behind defences unnoticed.
To look at another example where exposure is an important consideration, let’s look at a change to a firewall rule. These changes are made every day in an organisation to refine access and enable new services.
To make sure a proposed change is secure, you have to know which firewalls are relevant to the change; if the change adheres to rule, access and configuration compliance policies; and if the change would open up a network path to a vulnerable asset. If a change to a firewall is going to create a risky exposure, it undermines the purpose of the firewall as a security control.
So, does your organisation have the visibility it needs to enable secure innovation?
Below is a good checklist to gauge where you are:
- Do I have a record of all my assets?
- If an asset is compromised, do I know the potential impact to my business?
- What vulnerabilities are present on my assets and which do I know could be exploited?
- What’s protecting the asset or leaving it exposed in my hybrid network?
- Are my devices enforcing best practices designed in my security policies?
- Can I maintain visibility even as my network changes?
A world of possibilities
With good visibility, security teams can provide the foundation needed to innovate without introducing the organisation to undue risk.
For organisations undergoing Digital Transformation (and which aren’t these days?), visibility ensures the many new and varied assets that come with this initiative are properly protected within the network infrastructure.
For those undergoing cloud migrations or already working in hybrid environments, visibility is a vital tool to ensure that policies are consistently enforced by traditional or cloud mechanisms. Visibility also ensures that vulnerabilities and risks are known throughout the migration process and in the hybrid network.
Organisations looking to improve their cyber-resilience leverage on-demand visibility to proactively address risks, rapidly respond to attacks and recover quickly, minimising business disruption.
Companies embarking on mergers, acquisitions and divestments use visibility to securely plan how to incorporate or divorce networks and continually manage risk and compliance requirements throughout the process.
And for critical infrastructure and manufacturing organisations with OT networks, visibility helps them to realise the business benefits of IT-connected operational technology, while minimising cyber-risks to operations.
With all of these innovation initiatives, it’s important to remember that security shouldn’t be an afterthought. Rather, it should help lay the path that will enable organisations to meet their immediate and long-term goals.
To be the secure innovation enabler, CISOs should look for solutions that connect the dots between many facets of security and operations; that provide visibility of what you’re trying to protect and how well you’re protecting it; and use visibility to power intelligent processes, unify teams and strategically secure the business today and into the future.
With these capabilities, they can earn their seat in the C-suite and be involved from the start of innovation initiatives as a trusted advisor key to the success of the business.