Can we keep it simple?

Surendra Singh

Today’s data and security challenges cry out for a simple solution but, somehow, they seem to evolve into even more labyrinthine puzzles.  As Information Security & Strategy Officer, my discussions with CSOs regularly focus on the same small set of “How Can I…?”issues – and the ways we might solve them together. Are these topics on your agenda, too?

How Can I…Keep It Simple?

Elegant simplicity is always the preferred option but, in truth, too many security solutions are like washing machines – they offer dozens of programs but most people only use three. To be effective, solutions must talk, share intelligence and learn from each other but with so many technologies in our businesses - at best soldered together – can they hope to address all the new cloud computing, mobile and social networking innovations which are flooding our infrastructure?

…Keep It Relevant?

AV, IDS/IPS, load balancers, routers, switches, applications, databases - all these components (and many more) in our complex systems are overwhelming us with data that we aren’t necessarily reviewing on a regular basis. Does an IDS or firewall log have much value when there is so much raw data? Even SIEMs aren’t smart: they simply turn data into information which must be collated and analysed before we can understand what to do with it. Even then, it’s going to take more than action lists: CSOs need help steering towards an effective overall risk management strategy.

…Keep It Intelligent?

Of course, CSOs need this data which can be transformed into information to provide intelligence on which to base sound decisions. The more intelligence CSOs receive, the bigger the benefit. Unfortunately, many security solutions fall short by simply providing information, which leads to reactive actions vs. proactive actions.

…Keep It Affordable?

There’s a pressing need for a risk-based approach that is simple to implement. And while governance, risk management and compliance (GRC) solutions exist, many are very expensive and few companies can afford them. Usually, these solutions are rule-based and are not intelligent, are overly complex and don’t take a data-centric view.

As more CSOs partner with others and continue cloud adoption, GRC will be the tool of the future to help manage risk because they will have less and less direct infrastructure control. It follows that we need a GRC solution that is easier to deploy and manage.

…Keep It Visible?

Security is all about the data, not the device or outlet. So whether it is on a handheld, a tablet or in the cloud, we need to know where our data is, who is using it and when it is accessed - even if it was just created. We also need control of the data, both at home or in the hands of collaborating partners, with a kill switch as a last resort if our data is not in the right place.

…Keep It To Myself?

The advent of BYOD has made IT personal and it can be great for business. Executives are keen to allow personal devices on the network but most CIOs want security and data protection without locking down the device with mobile device management (MDM).

Personally, I don’t believe MDM is the solution as it just applies the existing methods of endpoint security to a new era of mobile devices. It doesn’t show how we can allow easy access to our networks and data but retain full visibility and control of the data. My preferred way forward is a hybrid of DLP and DRM mixed with virtual sessions. And for certain applications, data is then routed back into the data center.

…Keep It Vigilant?

Phishing may be an old security headache but its clever cousin, Spear-Phishing, is the number one way to entrap important users through a well-researched, personalised lure. We asked 200 CISOs “Are you confident you can stop a spear-phish attack on your CEO?” And not one said they were.

Even when your security technology is mixed with an awareness program, 15 percent of targets will still click. Clearly, whilst trusting training and common sense, the technology must be the first line of defence. An email security solution needs cloud-based spear phishing protection which analyses any never-before-seen URLs before they hit your network - standard spam filters do not do this.

Also, many spear-phishing lures avoid the corporate email system and target your CEO’s Gmail account. So, you need a web security gateway that can protect your user when they click on a link. There are very few web security gateways that are spear-phish-aware.

…Keep It In Front Of The Board?

Finally, keeping security at the top of the corporate agenda is a continuous challenge. We are winning IT battles every day but our Directors must understand that the war is still raging. With so many new security challenges and emerging threats to address, how can we best demonstrate that security IS a senior executive problem and underline our value to the CEO and Board of Directors?

(The author is Surendra Singh, Regional Director – India & SAARC, Websense)