"If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked."
-- Richard Clarke
In the world of information technology, the security team is often viewed with suspicion, frustration and complete bemusement from the outside. It's often comprised of the "no" men and women; the people with the power to block your well-designed initiatives and to shut down all but the most critical of network changes or application rollouts. They are gaining more and more power, but is that really a bad thing?
In an era where major network breaches are being reported with alarming frequency, information security budgets are growing accordingly as IT execs catch up with the facts on the ground. In its Global State of Information Security Survey 2016, PwC reported that information security budgets increased by 24% in 2015 alone, and that the "theft of 'hard' intellectual property increased by 56%" in the same period. Tacking on to that, some of the highest ranking cybersecurity experts in the government have also sounded the alarm about the need for a network security overview, with Richard Mueller, former director of the FBI, stating, "There are only two types of companies: those that have been hacked, and those that will be." Given this reality, is it any wonder that information security departments are gaining so much power, budget and control over all aspects of the business?
Not everyone has gotten the memo.
Rogue projects proliferate
Projects and initiatives are still being implemented without a network security overview by information security departments, often with disastrous consequences that may or may not be felt immediately. Rogue users or entire departments (frequently with at least tacit approval from managers) begin to set up outside services, resulting in what is commonly referred to as shadow IT. Maybe it starts with social media to replace kludgey corporate systems, or Dropbox to get around restrictive file-sharing policies, but it eventually finds its natural end at full-blown public cloud "shadow" environments.
While all of these behaviors carry serious risk of exposing sensitive company data -- either by users' credentials being compromised internally or by breaches happening to the external providers of the service in question -- they stem from serious needs: speed to execution and convenience. The problem with most enterprise security measures is they tend to be slow in reacting to change not related to immediate security threats. If a user requests a better file-sharing experience, the services or applications that might be beneficial to fill that need must be vetted and balanced against the need for security. This often takes an inordinate amount of time and may, at the end of the process, result in a "no" from the security folks. So, in one established process, both the speed and convenience a user perceives is needed to increase the value they bring to the company is stymied. Hence, shadow IT.
Questions, questions -- what do we do about it?
These issues are the same as have been faced by applications, storage, server and virtualization groups for some time now, and are currently being felt by the network team as well. The seemingly meteoric rise of software-defined [fill in the blank here] is a direct result of the perceived slowness on the part of the traditional network hierarchy, and while software-defined networking (as an example) may tackle the technology side of the equation, the real change comes from a more collaborative approach to the management of the entire IT ecosystem.
Holistic approaches to security, to achieve a network security overview, need to be adopted in order to bring the pendulum back to the center on the management and usage of corporate systems. The fewer silos the IT groups are neatly categorized into, the more awareness of the overarching needs of the business. As a result, the company can move more quickly and the dreaded workaround is largely avoided. As applications teams -- or users and departments -- are brought into a more collaborative process, the more they will be valued and their concerns addressed. The net result? Better security.
There is a truth in network security that past a certain point of password complexity required to log into a service, the less security you actually have. At some point, users can't, or choose not to, remember these more complicated passwords and so what do they do? They write them down and keep them somewhere close by their computers. The same can be said for security roadblocks during the course of doing business. The more you clamp down on security, the more you operate in a vacuum, the less security you actually attain. The need for a network security overview could not be clearer.
Learn how to protect assets and data with an enterprise-wide security plan.
State of the Network study examines how security is dominating IT staff.
How to develop a network security policy.