IT Security’s Evolving Threat Landscape and New Reality
A few weeks ago, we sat down with our own CIO and Information Security Officer to talk about the real world of protecting business assets. With vulnerabilities and major security alerts like Heartbleed and the recent Internet Explorer Vulnerability, it’s a more sophisticated practice than just being on your toes and it takes a lot of people to keep a business secure. Here’s what our team had to share.
If you’ve seen the movie Catch Me if You Can, you know the tale of Frank Abagnale, Jr. His is the story of a remarkable con artist who, before his 19th birthday, bilked numerous victims out of millions of dollars as Pan Am pilot, doctor and even a legal prosecutor. The epilogue to these escapades is that Mr. Abagnale becomes a highly respected consultant on forgery, embezzlement and secure documents.
What Frank Abagnale is to forgery, hackers are to IT security. If, of course, those hackers ultimately end up on the side of good.
Ask Mike Guggemos, Insight’s chief information officer, what makes a good security practitioner you will get this reply, “Someone technical with broad business acumen who looks to support business objectives while mitigating risk. Someone who can think with just a bit of deviance.” He goes on to explain why deviance is called out: “That’s what makes really competent security folks enigmatic; they do good by thinking bad. Technology fails. Education mitigates. Mindset matters.”
Why you need to catch a few thieves – for your team
In this scenario — indeed in this era of security — that bit of deviance is a valuable soft skill that companies look to add to their security teams in order to do their best to offer prompt re-active mitigation. In the more ideal scenario, it is that soft skill which helps IT security teams root out the ways their environments might potentially be exploited. People who can deftly slip between the network barriers, the software encryption, the firewalls and myriad other company defense tactics are taking on an increasingly important role.
“IT people look for use cases. They are looking for ways that information technology can solve a business problem,” said Insight Information Security Officer, Dennis Spalding. “Security people – they look for misuse cases to see how that good solution can be exploited. Information Security’s goal is ultimately to help business succeed – securely.”
Go ahead, hack yourself
It’s identifying the misuse cases, which has become increasingly important for companies, especially those who have huge volumes of customer data to protect. Even the best developers operate on deadlines. They are under the gun to make a company initiative go live or get a system in place. That kind of pressure can lead to a just-good-enough release that meets the business need, but may not pass muster with the security crowd. Putting those kinds of IT efforts in the hands of a team who can pick them apart, thinking like hackers, can be the difference between being a thriving business and closing up shop.
“Security failures can cause your company to shut down,” said Guggemos. “There are companies that cease to exist because they lose the confidence of customers…People at senior levels are getting fired for it and now boards are worried.”
Spalding expands on the point, “One major change that’s occurred in the past few years is that people are finally accepting security as a business problem, not just a systems or network problem.”
What “Or else” looks like
Major organizations like Target and Neiman Marcus have experienced recent breaches where the fallout had consequences far beyond the IT department. Target replaced its CIO and CEO within six months of the security scandal, their stock took a notable hit, and media routinely use their name in conjunction with stories about “consumer trust” and “customer confidence.” Neiman Marcus is a privately-held company, so detailed information about the specifics of their security breach and its subsequent resolution are not public information – for which they are likely very grateful.
“Security is everyone’s problem,” said Spalding. “There’s a role played by everyone. From top leadership to the newest employee, we all have the responsibility to protect, defend and respond.”
Spalding’s position is reinforced by the number of security solutions available for IT. There is no system or segment of the environment that isn’t getting attention from publishers and manufacturers. All of these tools are meant to work in conjunction to provide a more complete level of protection.
At the end of the day, the best defense is a human.
“We want people to report into our internal systems when they find an issue,” said Spalding. “I want every teammate to be trained to think, ‘I’m the first defense for the company.’”