Is security getting in the way of doing business? That is the premise behind the formation of one of the UK's most prominent security user groups, the Jericho Forum. Led by information security chiefs from companies such as the Royal Mail, ICI and Standard Chartered Bank, the group aims to pressure security vendors to develop interoperability standards, thus securing data without impeding its exchange.
What they are reacting to is the fact that the traditional concept of a security perimeter is rapidly dissolving. Mobile devices, remote working and the opening up of systems to enable connections with partners or customers make defining – let alone defending – that perimeter an almost impossible task. Some technologies, such as web services and instant messaging, even bypass network controls altogether. Jericho advocates bringing down the perimeter by taking security to a more granular, device- or even data-based level.
"Jericho is all about looking at operating without a hardened perimeter," says Paul Simmonds, global information security director at chemicals giant ICI and co-founder of the Jericho Forum. "Our borders are less and less successful, more porous. The other side of the business is forcing us that way anyway as the border is inhibiting the ability to do business fast. If we didn't have a border we could do business direct from one company's IP [Internet protocol] to another."
But not everyone wholeheartedly agrees with that position. Jason Creasey, head of projects at the Information Security Forum (ISF), a large global user group, says he supports Jericho's aims but adds: "Most members felt there was still a significant network boundary in place. The perimeter hasn't disappeared, it's just more vulnerable."
But he adds that fundamentally, the solution is the same. "Get the basics right. It's only because over time people have become reliant on fortress-style networks that they forgot about the basics. If you have information of a particularly sensitive or confidential nature, such as a new drug [developed over years by a pharmaceutical company], you should encrypt it 17 different ways whether you thought the network [perimeter] was there or not."
Balancing security with business needs is a managerial as well as technical challenge. A comprehensive security policy, informed by risk assessments and backed by senior executives, is a vital way to take a strategic approach to securing the enterprise.
However, research by UK analyst group Quocirca has found that many companies formulate policies – often as part of attempts to comply with headline-grabbing industry regulations – then fail to keep them up-to-date, so they become ignored. "People think about security strategically then deal with it tactically," says Quocirca's Jon Collins. "It's basic human nature – when you're fighting fires, the policy is always lagging. But it is absolutely vital to have a dynamic attitude to policy."
He says a recent survey of IT managers, business users and technical operations staff found that more than half felt they wasted more than a day every month due to security problems – even in organisations with a policy in place. A commonly proffered solution is a security management console, similar to the ‘dashboards' sold by business intelligence software providers. But Collins says these are not proving as popular as expected, given the disparity between many companies' security ideals and their day-to-day reality (see graph).
For those that do adopt security reporting and measurement tools, the challenge is to make sure the right individuals see the right information in the right way. "Just having a fancy dashboard doesn't mean the intended audience is interested in that information in that format," says Tom Scholtz, an analyst with research giant Gartner. Some reports might be more useful to operational staff than management. But, done properly, such tools can be invaluable. "It is crucially important for information security practitioners to measure and communicate the value of what they do," he says.
There are two other options available for CSOs seeking to ease the management burden: appliances and outsourcing. While initially viewed with suspicion, security appliances are now being adopted for their ease of installation – although they remain unlikely to replace standalone software products altogether. The managed security services market has also shown slow but steady growth as companies that outsource other areas of IT see the value in having experts monitor specific services such as firewalls, email hygiene or Internet traffic.
Both approaches indicate a shift in attitude. "There is more focus on ease of use, manageability and time to value," says Scholtz. "In the security space, the common wisdom was that companies should buy the best-of-breed solution, but the pendulum is swinging back as they realise it might be better to have an 80% solution that can be easily installed and managed than a 98% solution that is so complex it fails."
That sort of approach will truly ensure security does not get so tight that it ends up strangling the business it is supposed to be protecting. ns security getting in the way of doing business? That is the premise behind the formation of one of the UK's most prominent security user groups, the Jericho Forum. Led by information security chiefs from companies such as the Royal Mail, ICI and Standard Chartered Bank, the group aims to pressure security vendors to develop interoperability standards, thus securing data without impeding its exchange.
What they are reacting to is the fact that the traditional concept of a security perimeter is rapidly dissolving. Mobile devices, remote working and the opening up of systems to enable connections with partners or customers make defining – let alone defending – that perimeter an almost impossible task. Some technologies, such as web services and instant messaging, even bypass network controls altogether. Jericho advocates bringing down the perimeter by taking security to a more granular, device- or even data-based level.
"Jericho is all about looking at operating without a hardened perimeter," says Paul Simmonds, global information security director at chemicals giant ICI and co-founder of the Jericho Forum. "Our borders are less and less successful, more porous. The other side of the business is forcing us that way anyway as the border is inhibiting the ability to do business fast. If we didn't have a border we could do business direct from one company's IP [Internet protocol] to another."
But not everyone wholeheartedly agrees with that position. Jason Creasey, head of projects at the Information Security Forum (ISF), a large global user group, says he supports Jericho's aims but adds: "Most members felt there was still a significant network boundary in place. The perimeter hasn't disappeared, it's just more vulnerable."
But he adds that fundamentally, the solution is the same. "Get the basics right. It's only because over time people have become reliant on fortress-style networks that they forgot about the basics. If you have information of a particularly sensitive or confidential nature, such as a new drug [developed over years by a pharmaceutical company], you should encrypt it 17 different ways whether you thought the network [perimeter] was there or not."
Balancing security with business needs is a managerial as well as technical challenge. A comprehensive security policy, informed by risk assessments and backed by senior executives, is a vital way to take a strategic approach to securing the enterprise.
However, research by UK analyst group Quocirca has found that many companies formulate policies – often as part of attempts to comply with headline-grabbing industry regulations – then fail to keep them up-to-date, so they become ignored. "People think about security strategically then deal with it tactically," says Quocirca's Jon Collins. "It's basic human nature – when you're fighting fires, the policy is always lagging. But it is absolutely vital to have a dynamic attitude to policy."
He says a recent survey of IT managers, business users and technical operations staff found that more than half felt they wasted more than a day every month due to security problems – even in organisations with a policy in place. A commonly proffered solution is a security management console, similar to the ‘dashboards' sold by business intelligence software providers. But Collins says these are not proving as popular as expected, given the disparity between many companies' security ideals and their day-to-day reality (see graph).
For those that do adopt security reporting and measurement tools, the challenge is to make sure the right individuals see the right information in the right way. "Just having a fancy dashboard doesn't mean the intended audience is interested in that information in that format," says Tom Scholtz, an analyst with research giant Gartner. Some reports might be more useful to operational staff than management. But, done properly, such tools can be invaluable. "It is crucially important for information security practitioners to measure and communicate the value of what they do," he says.
There are two other options available for CSOs seeking to ease the management burden: appliances and outsourcing. While initially viewed with suspicion, security appliances are now being adopted for their ease of installation – although they remain unlikely to replace standalone software products altogether. The managed security services market has also shown slow but steady growth as companies that outsource other areas of IT see the value in having experts monitor specific services such as firewalls, email hygiene or Internet traffic.
Both approaches indicate a shift in attitude. "There is more focus on ease of use, manageability and time to value," says Scholtz. "In the security space, the common wisdom was that companies should buy the best-of-breed solution, but the pendulum is swinging back as they realise it might be better to have an 80% solution that can be easily installed and managed than a 98% solution that is so complex it fails." That sort of approach will truly ensure security does not get so tight that it ends up strangling the business it is supposed to be protecting.
|
|||||