The cyber-security arms race follows a perpetual cycle – one that’s all-too-familiar to professionals working in the sector.
Organisations invest large sums on protection, attackers breach their defences anyway and the ante is upped another notch as the rush to respond begins.
Australia’s collective cyber-security investment is set to reach $3.8 billion in 2018; up 6.5 per cent on the previous year, according to Gartner.
Meanwhile the threat has never been greater; it’s increasing in frequency, scale, sophistication and severity according to the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report.
So, are we doomed to be locked into this spend-and-defend loop where we periodically find ourselves fighting a rearguard action against the hackers and questioning our choice of weapons as we do so?
Or could a change of strategy result in better outcomes? I believe so – if IT security leaders are bold enough to embrace it. For too long many have been convinced the traditional approach of protecting the perimeter is the best and only way to protect the data that lies within.
That was true once but times have changed and it’s time for IT security professionals to change with them. We need to say goodbye to old ways and explore new strategies which address the real security issues in today’s business environment more effectively.
Becoming agents for change
Why have security professionals been reluctant to advocate doing things differently up to now? Perhaps one reason is the still largely-true argument that ‘nobody gets fired for buying IBM’. Legacy solutions may not be impenetrable but they’re still considered ‘safe’, as is anything endorsed by industry analysts, who continue to favour traditional on-premises solutions. Against this backdrop, advocating for a change of focus can feel like a brave move.
This is especially the case for Australian IT security executives who report directly to their CIO, rather than a member of the executive team whose remit is less technology-centric.
Both parties are typically invested in the networks and security architectures they’ve supported and helped build. They may be understandably reluctant to admit that previous decisions, while not necessarily mistakes are no longer effective and concerned that recommending existing infrastructure be torn down will reflect poorly on their professional judgment.
Taking the argument to the top
Having security chiefs report directly to the CEO, the board or at least the chief risk officer may be one way to overcome this caution and inertia. Currently only 15 per cent do so, according to research from K logix, compared with 50 per cent who report to the CIO.
Creating a channel for IT security to deliver honest criticism to the top, without fear their ideas will be quashed and their career prospects compromised, would ensure Australian business leaders were alive to the risks and able to take an informed view about future security strategies.
Conversely, an organisation where the executive team is out of the loop is likely to be ill-placed to respond in a timely and robust manner when attacks occur. Failure to do so can lead to an Equifax-style outcome.
The credit reporting bureau, which has a significant presence in Australia, came under considerable fire for its tardy reporting of the 2017 hack which saw the details of almost half the US population exposed. It seems likely lack of focus on the crisis by senior executives contributed to the widely criticised response.
Getting on the front foot
Lack of cyber-security oversight at the executive level may be one of the reasons security professionals appear to have failed to clock the fact that traditional protections are less-than-effective in today’s increasingly mobile-driven working environments.
When employees can offload documents to the cloud without anyone noticing and access company data from hotels, cafes, their own homes and the BYO mobiles in their pockets, focusing on the traditional perimeter stops making sense.
Stepping out of the IT shop and becoming more closely aligned with business units is one way security professionals can get on the front foot in this new and rapidly evolving landscape. It’s a change of tack for those who’ve historically seen their remit as technology and security focused but one that’s becoming increasingly necessary.
Forging ties with department heads can ensure the security team is aware of new business initiatives which may have security implications and can determine how best to mitigate the risks before, not after, problems emerge.
The focus on relationship-building should also be extended to the C-suite. Timely intelligence about security risks associated with new programs would help ensure security measures are integral and by design – not the afterthoughts they too often prove to be.
Recognising legacy architectures are no longer sufficient and advocating for radical change may be an uncomfortable prospect. For Australian security professionals who want to sidestep the perimeter protection arms race and start building infrastructure for today’s world, not yesterday’s, it’s a very necessary one.