How are companies thinking about their security strategies differently today? Is prevention still more popular than mitigation?
The idea of “protect and prevent” is still very much alive and the testament to that is that technologies to handle these use cases are continuing to see usage and uptake.
However, we have seen an evolution in the thinking from individuals and teams responsible for an organisation’s security. As they have seen increasingly sophisticated threats from both the outside and inside, they have realised that – for deep security coverage – it is best to also have a strategy to detect issues as quickly as possible and mitigate the impact to their business and their customers.
Is there still a market for traditional IT security solutions, or will investment shift over to new approaches?
Absolutely. Multiple and even overlapping technologies to fortify an organisation’s security posture are critical to being able to detect and mitigate risks. Let’s consider antivirus; it is still an important foundational element in the same way that educating an organisation’s employees on how to avoid phishing attacks is. Most security teams still subscribe to the defense in-depth school of thought. So while some might argue that modern cyber breaching techniques can skirt antivirus technologies, it doesn’t make sense to rule them out.
It’s the same with password management and identity – there are rules and tools that can be used to improve security. At the same time, not all access and not all accounts are created equal. Recognising that privileged accounts should be protected is a new and growing market for IT security; privileged access is getting spread more widely across organisations and into their outsourcing partners, yet control over this access is often not considered until after a breach.
Do you see CIOs stuck with how to keep their existing IT running, or do they look at innovation and new investments?
Dealing with legacy IT investments is a big issue for all companies. Keeping the security lights on was potentially the biggest area of investment in the past, but that was before we entered what seems like a cycle of major security breaches.
This has highlighted a danger that certainly existed before the news coverage. However, the coverage has helped the CIO make a case to the rest of the organisation that investing in more innovative security technologies can be just as important as keeping the lights on. It’s difficult when things are abstract, but the series of breaches that have affected both private companies and public sector organisations has made it easier for CIOs and CISOs to build their business cases.
But do all the stories around security breaches and unauthorised access actually cause more harm in the long run?
Headlines around huge breaches and compliance scares do certainly cast a focus on the IT security industry. The challenge we have seen in many of the post breach details is that security technologies were either not fully implemented or were even potentially ignored. In many cases, the attacks were not technologically difficult; they succeeded due to miscommunication, failures in process or IT assets not being protected in the right ways in the first place.
Can IT be totally secure?
If a system is connected to the internet, it is likely to be a risk. The trick is to follow the fundamentals of good patching and policies, good password management and ensuring the people involved take security seriously to mitigate the risks.
In order for IT security providers to be as effective as possible, it takes a collaboration between those who are interested in positively affecting change, the software and hardware vendors who have vulnerabilities that need addressing, and the IT security providers who are working to protect the systems.
What do you think the next big problem for IT security will be?
When discussing security best practices with security professionals, we often hear that shrinking the attack surface is the most important thing an IT security team can do. We expect this to become more challenging as the threat landscape continues to evolve including the migration of legacy systems to the cloud and Infrastructure as a Service (IaaS), the expanded use of consumer technologies in the enterprise, and the rapid explosion of systems that fall into the category of Internet of Things (IoT).
The European Union is working on new Data Protection rules to unify approaches that companies have to take around protecting information. Do you see this as a big opportunity for the future?
Data Sovereignty regulations have a significant influence over customer behaviour. The potential exists for a nation state to obtain information about another nation’s citizens and there are concerns about how data is secured and governed when it is not within your direct control. The solution in most cases is to ensure that the technology deployments and good security practices align with data sovereignty regulations in the first place.
What do you think are the biggest challenges facing IT Security teams today?
The biggest challenges relate to dealing with the cultural and process changes typically involved with adopting new security solutions, and trying to balance that with productivity and user satisfaction.
The biggest opportunity here is to help ensure that an authorised person has access to the resources they need but only when needed. Many of the recent cyber-breaches have been attributed to criminals obtaining access to critical systems using authorised means, for example stolen credentials. IT security providers who can always ensure that only the authorised user is the one accessing a sensitive resource or system in a way that doesn’t impact productivity will likely see the most interest from security professionals.
Stuart Facey is VP EMEA for Bomgar
