Guy Givoni , AlgoSec vice president and APAC general manager
Proliferation of business-based security rules, tempered by a lack of consistency in how they are applied, is creating a management nightmare that is compromising the integrity of many companies’ security efforts, an AlgoSec security specialist has warned.
While many companies are managing security policies based on business requirements, many others are finding that a proliferation of competing priorities is making it hard to reconcile policy differences into a unified model, AlgoSec vice president and APAC general manager Guy Givoni recently told CSO Australia.
This, in turn, was compromising the association between security policies and the applications to which they relate. In the absence of a strong correlation, Givoni said, many employees simply end up layering policies on an ad hoc basis, creating an overall security posture that can be internally contradictory as well as compromising corporate governance controls.
“Because of the rate of change in today’s business, many people just dump the whole process and do things ad hoc,” he explained. "That creates a situation where, first of all, they are not going to meet their compliance requirements."
"They often don’t really know why they are putting things in," he continued. "They’re just doing it because it’s the fastest way of doing things. Many times, changes are not needed but people just add new rules because the environment is already so complex.”
Convenience often led to discrepancies between business’ stated requirements and the actual security posture of the technology intended to support those requirements, he said. “The irony is that – in the space where people are the most anally retentive about process, compliance and sticking to things – you see this completely non process thing happening.”
Improving the consistency of security policies lies at the core of AlgoSec’s business, which has grown 148 per cent in Australia since 2011 and seen the appointment of distributor Observatory Crest as well as rapid growth in local staff numbers to support a customer base that includes major banks and telecommunications providers.
A range of tools allow enforcement of consistent security policies – AlgoSec naturally promotes its own Security Management Suite, which manages business rules and translates them to application-level firewall and application performance management suites – but tools are only part of the challenge.
Businesses also need to work on improving needs assessments and IT security culture to ensure application controls are implemented consistently across the organisation.
“You cannot apply culture by bringing in new technologies,” Givoni explained. “If the culture is bad, you can buy new technology and the culture will stay bad.”