By Martin Borrett, Director of IBM’s Institute of Advanced Security.
Security is no longer just the Chief Information Officer’s cross to bear alone or indeed the Chief Information Security Officer’s burden. As more and more of society’s business goes digital, and the rise of unstructured data via social media breaches firm’s previously defensible perimeters, information security is becoming a common goal for everyone to strive towards. It is a subject that – and a worry to – everyone in a company’s management team these days, from the CEO to the CFO, and sharing the load with senior management colleagues helps to ensure an effective policy.
Scan the papers any day of the week and the new reality of widespread security threats and data loss events is made crystal clear to any reader. Confidential hospital patient records wind up on the Internet. Hackers are attacking networks, and employees are losing their laptops and smartphones along with the sensitive corporate data stored on them. Retail bank customers’ accounts are hacked, cloned or spoofed. These are all real-world examples with real legal, financial, and brand consequences.
The reality is that the new digital world provides huge opportunities, but it also creates new risks. Cloud and mobile computing are cost-effective ways for employees to tap data anytime, anywhere, but they also open the door to losing control of that data. Globalisation means that corporate networks are more far-flung. Digitizing services and customer care helps companies cater to customers, but it can also lead to exposing much more data.
These worries, and consequent risk, pave the way for the concept of Security Intelligence. Security Intelligence applies advanced analytics and automation technology to the collection and analysis of information from hundreds of sources across an organization – such as the network, applications, user activity, mobile endpoints and physical security devices, such as badge readers. Analytics software flags abnormal, likely malicious, behaviour to predict and prevent issues before they impact the organisation.
In this increasingly complex and interconnected world, delegating security to only the CIO just compounds the risks. Evaluating the potential threats to the brand, understanding the financial implications of adverse events, or assessing the impact of tech disruptions is too much for one person to handle. Instead, the entire executive team needs to be involved in predicting, identifying, and reacting to potential threats. Building internal security and being flexible enough to constantly update policies is not insurmountable.
Based on IBM’s discussions with thousands of executives about security over the years, there are three important steps that need to be taken to foster effective security practices:
• Get informed: Take a structured approach to assessing business and IT risks. Security needs to be woven throughout the entire organisation and as a part of ensuring that this is the case, every part of a company’s organisation needs to identify key threats and compliance mandates, review existing security risks and challenges, implement risk management programs, and execute incident management plans when a crises hits. Another step that businesses can take is to designate a risk executive to maintain regular communication with the board of directors and other executives about security-related issues and ensures that IT risk conversations become a part of everyday business.
• Get aligned: Security doesn’t stop at a company’s walls. Companies have to work with customers, employees, partners and auditors to put in place comprehensive security initiatives. For instance, businesses need to communicate with internal staff and external customers about policies for handling personal information and remain transparent when privacy breaches happen. When it comes to partners, companies need to work across the supply chain to develop and implement security standards and to develop programs for reporting on and managing risks as a normal part of business operations. And with employees, organisations should set clear security and privacy expectations, provide education to identify and address security risks, and manage the access and usage of both systems and data.
• Get smart: Analytics is the corporation’s trump card when it comes to security. It can be used to highlight risks and identify, track, and tackle threats. Analytics can identify previous breach patterns and outside threats to predict potential areas of attack, it can mine employee systems behaviour to identify patterns of potential misuse, and it’s able to monitor the external environment for potential security threats.
At a global pharmaceutical company, for instance, a lack of correlation between reported threats and vulnerability data throughout its vendor network made it difficult to pinpoint real threats. The company began using security analytics that automatically process and analyse millions of security events in real-time and can track and trend vulnerability and threat data over time. By taking an active approach, the company which I cannot name, cut security management costs last year by 57%, while critical security events dropped from 10,000 each day to 15.
Business is open and connected, that’s the reality of the digital economy these days. Companies don’t have to be needlessly exposed to the threats, but CIOs simply don’t have the expertise to deal with this new world alone. Security today is more than a purely technical issue. It requires the insight and understanding that every top executive has of their own organisations and for this information to be shared to establish a secure environment.
• For the latest product news from IBM, covering its launch of an expanded QRadar Security Intelligence Platform, please click here.