1st row Archives - Security IT Summit | Forum Events Ltd

1st row

The four biggest mistakes in IT security governance

960 640 Guest Post

By Atech

Intelligent IT security and endpoint protection tools are critical components of security governance, and the stakes within today’s threat landscape have never been higher.

A lapse in identity protection or zero trust networks could spell financial disaster for a company. We know that attacks are increasing in sophistication and frequency, and in cost with research showing the average cost of a data breach at an eye-watering $4.24 million.

But what about the other end of the spectrum? How can companies identify and rectify issues in their security governance before they become a problem?

#1 Not realising you are a target with less-than-perfect cloud IT security

Many business leaders using cloud data storage mistakenly believe they are not vulnerable to security breaches from outside attackers. However, this is not the case.

The barriers to entry in becoming a cybercriminal are incredibly low, yet the cost to a brand’s reputation is staggeringly high. Furthermore, fines issued to businesses for not adequately managing customer data are also extremely costly.

Therefore, IT leaders need reliable security governance systems and full visibility over user data, secure identity and access management protocols, encryption, and more.

Businesses can update their IT security playbook by partnering with managed security service providers. By understanding the distinct accreditations that service providers display, solution specialisms can be distinguished from operating procedures, to build a real picture of how the service aligns with your business’ needs. You need to receive timely guidance on the latest cloud security threats and how to mitigate them and how to remediate fast. This can only come with in-near-real-time insights of behaviours and attacks and with the expert support of a security operations centre, carrying an industry recognised accreditation such as CREST.

We outline the biggest mistakes in IT security governance and provide a comprehensive view of today’s cloud security challenges and how best to tackle them as an organisation. Read on to identify the other critical mistakes you could be making.

Just Say Yes – Why CISOs must now embrace SD-WAN

960 640 Stuart O'Brien

Digital Transformation has become a business imperative, yet rather than pulling together to enable essential change, the friction between network and securityteams is increasing. The business needs to move away from data centres and traditional Wide Area Networks (WAN) to exploit the cost, flexibility and agility provided by the cloud and Software Defined WANs (SD-WAN).

Chief Information Security Officers (CISOs), especially those working in regulated industries, insist the risks associated with public infrastructure are too high. Stalemate.

Until now. Organisations are pressing ahead with Digital Transformation plans and excluding the CISO from the conversation. But at what cost? Who is assessing the implications for regulatory compliance? At what point will the Chief Risk Officer prohibit the use of the SD-WAN for sensitive data, leaving the business running legacy and new infrastructure side by side, fundamentally undermining the entire Digital Transformation project? A new attitude is urgently required, one based on collaboration, understanding and a recognition that a Zero Trust security posture can safeguard even the most sensitive data, while unlocking all the benefits associated with SD-WAN.

As Simon Hill, Head of Legal & Compliance, Certes Networks insists, it is time for CISOs to take a lead role in the Digital Transformation process – or risk being side-lined for good.

Accept Change

CISOs need to face up to the fact that Digital Transformation is happening – with or without them.  Organisations need to embrace the agility, flexibility and cost benefits offered by the cloud, by Software as a Service and, critically, the shift from expensive WAN technology to SD-WAN. For CISOs, while the migration to SD-WAN extends the attack surface, adding unacceptable data vulnerability, saying no is not an option any more. CISOs risk being left out of the Digital Transformation loop – and that is not only adding significant corporate risk but also compromising the expected benefits of this essential technology investment.

Network and IT teams are pressing ahead, insisting the risk is acceptable. How do they know? For any organisation, this is a dangerous compromise: critical risk decisions are being taken by individuals who have no understanding of the full implications. For those organisations operating in regulated industries, these decisions could result in an exposure to $10s millions, even $100s millions of penalties.

Failure to embed security within the initial Digital Transformation strategy is also compromising progress. What happens when the CISO or Chief Risk Officer discovers the business is in the process of migrating from the old WAN to a new SD-WAN environment? Suddenly the brakes are on, and the call is for sensitive data to be encrypted before it hits the network. Adding Internet Protocol Security (IPsec) tunnels will degrade performance – so the business is then stuck using the legacy WAN for data connectivity while still paying for the SD-WAN and failing to gain any of the agility or cost benefits.  More frustration. More friction between teams that should be working together to support business goals.

Drive Change

Security is a fundamental component of Digital Transformation – indeed of corporate operating strategy. Rather than avoiding change, CISOs have a responsibility not only to secure the organisation but proactively advocate change, with security as the key enabler of Digital Transformation.

Digital Transformation does not by default create an inherently insecure environment – but it will require organisations to, somewhat belatedly, embrace a Zero Trust model.  It has been clear for many years that there is no correlation between ownership and trust. Just because a company owns infrastructure and assets does not automatically infer total trust over data security. Similarly, infrastructure outside the business is not inherently untrustworthy. The key is to build trust into a secure overlay to protect data that will allow a business to operate across any infrastructure whether it is owned or public.

A High Assurance SD-WAN overlay, for example, uses crypto-segmentation to protect and ensure the integrity of sensitive data. With this Zero Trust approach, High Assurance SD-WAN means whether the network is public or private, trusted or untrusted, is irrelevant: the data security team simply needs to define the policy and, with ownership of the cryptography keys, can be confident that data is protected at all times wherever it goes.

Working Together

Adopting a Zero Trust security posture changes the outlook for CISOs – and provides a foundation for vital collaboration with the networking and IT teams. With confidence that the data is secure regardless of network location, everyone involved in Digital Transformation can achieve their goals: IT and network teams can embrace the flexibility and agility of the cloud, SaaS and SD-WAN, while the securityteam still has control of the security posture.

This can only be achieved if the business embraces a different mindset. It is essential to think about security by design from the outset – and to break down the barriers between network, IT and security. The introduction of the Secure Access Service Edge (SASE) framework provides clear guidelines for the convergence of these teams to drive additional business value but the onus – and opportunity – lies with the CISO to ensure the entire organisation truly understands the Digital Transformation objectives.

This also demands an essential shift away from a regulatory compliance focused security posture – something that is inherently flawed due to the impossibility of creating regulations that keep up with the ever changing security threats – towards a truly business driven approach. Working together to plan the Digital Transformation process may take a little more time up front but it will result in a secure foundation that will remove any constraints to innovation and agility.

Conclusion

It is time for CISOs to change. There is no value in endlessly blocking essential new technology projects; and no upside in being excluded from vital plans as a result. By taking a proactive stance and driving Digital Transformation strategies, CISOs can redefine the role, become a key strategic player within the business and act as an enabler, rather than a constraint, to operational success.

It is time to find a way to say yes to secure Digital Transformation – without compromise.