The business world has never been more dynamic. New business models, enabled by technologies that didn’t exist a decade ago, appear regularly. This has created a rapidly transforming landscape that organisations need to be ready for. Digital transformation is a reality companies new and old need to be ready for.
Alongside the changes in how businesses communicate with customers and each other, threat factors are evolving. Those same technologies that enable business transformation can also be used nefariously to steal data or interrupt business operations. In addition, the changing nature of how people work means that the traditional network perimeter has dissolved with people and data now representing hundreds or even thousands of separate perimeters that need to be defended.
Government regulations around the world are changing. In the European Union, the General Data Protection Regulation (GDPR), mandatory breach notification laws in Australia and new cybersecurity laws in China mean enterprises need to be prepared to change and adapt systems and processes for how they operate in different parts of the world. Conversely, regulations and laws aren’t keeping pace with technology which creates risks.
With ever changing landscape of cloud, mobility, BYOD and ever-changing compliance requirements, IT is at the heart of making smart decisions around the network security. Network being at the heart of all communications and the boundaries of network has become blurred while the cyber criminals are getting smarter and smarter. This brings a continuous and more agile approach to the security architecture. Best of breed point product solutions will create security gaps that the cyber criminals can leverage to compromise. It was quite evident from the discussions that enterprises should look at an architectural approach for cyber security.
During a recent roundtable event sponsored by Forcepoint, a global cyber security leader with decades of front-line experience, technology leaders from a number of major Australian businesses and government agencies met to discuss these issues and share how they are surviving and thriving.
Throughout the frank and vigorous discussion, a clear theme was reiterated several times. The businesses that are best able to engage in successful digital transformation are those that took the time to deeply understand the risks their businesses were facing.
That started by taking a hard look at what the corporate data crown jewels are. Depending on who is asked, different senior managers in businesses will have a different view as to what is most valuable. So, while the marketing group might see data relating to new business prospects as critical, the managers of operational systems had a different view.
This led to a discussion around control systems and PLCs. Many of those older systems were not built with the broad connectivity we take for granted as part of their design. One of the risks this creates is that legacy systems become an impediment to business agility. This lack of security by design is something that is continuing as more IoT devices are being connected to networks.
This history is one of the reasons the IT department is often regarded as the "Department of No". Several the event participants said they had spent a lot of time educating their teams to change from being the "Department of No" to the "Department of How".
By identifying the company's data crown jewels, it was then possible to engage the board and C-suite in a risk-based discussion which put the challenges of security and agility into their terms and not just technical terms. However, while some types of data can be easily valued, the impact of security incidents on reputation are harder to assess until after an incident takes place.
It was unanimously agreed that users are critical in securing business data. Although it was noted accidental or deliberate insider breaches are a significant challenge, creating systems that provided adequate controls so opportunities for data leaks are reduced is critical. In many cases, while it might be possible to detect an internal breach, the motivation of the incident can be very difficult to prove.
Detecting data leakage across networks remains a challenge. While SIEM systems were common amongst the event attendees, many acknowledged that finding enough, sufficiently skilled staff to configure those systems and react to the vast volumes of data they collect is difficult. However, everyone acknowledged that artificial intelligence and machine learning are developing and will assist with combatting some of the skills shortage.
The final topic of discussion was around the distribution of data and the importance of cloud providers. With some attendees already taking a "cloud first" approach they said it was critical that they had exposure to what was happening, from a security point of view, in the cloud provider's network as it pertained to their data, and that part of the initial negotiation for services included plans for extracting corporate data should the decision be taken to move to a new provider.
Throughout the entire discussion, many acknowledged the importance of having a flexible and reliable network that gave visibility to the data that was moving and provided human-readable insight into anomalous activity was critical. Everyone at the table also agreed they had some way to go before that was fully realised.