Are you Liberated or in Lockdown?

Barely a day goes by when you don’t read in the papers about some security breach or other. Did you hear about the one a few weeks ago where a fraudster hacked 272 million unique email addresses and passwords? In this instance, a security firm, Hold Security, persuaded him to hand the information over, which he did. Their founder Alex Holden summed it up when he said, “Eventually, almost everyone gets breached.”

And that’s what keeps CISOs up at night. That inevitability. Given that most organisations are unaware malicious breaches have occurred until 256 days later (Source: Ponemon Institute), it’s not surprising. When I was moderating a roundtable discussion recently on security, Jim Griffiths, Head of Information Security at Kier Group voiced what everyone else was thinking:

“Like many others we’re kind of secure
right up until the point we’re not.”

But what point is that? Wouldn’t that be nice to know…

So, it’s not if but when. But while you’re waiting for the inevitable, where do you position yourself on the spectrum of liberation vs lockdown.

As Kamini Patel, CISO at Centrica put it,

“One of the considerations is what is enough to satisfy
a) the board, b) the stakeholders, and c) making sure that we’ve got adequate controls in place without turning it into a Fort Knox where you can’t use the systems?
So there has to be a level of trust.”

You need trust if only not to slow things right down and kill off agility and hence business performance. The other issue is frankly, that if you don’t trust your users, or give them what they want they’ll just go around you and do it anyway. This sounds a little bit like being a parent dealing with a wayward child. Maybe it’s not that different.

Bruce Davie, CTO of Networking at VMware put it succinctly, suggesting

“You need to to view security and agility as flip sides of the same coin in that, yes we all want to be secure. We don’t want to be on the front page of the newspaper as the last big company that got hacked. But we have users who need to get their jobs done. And so we have to find ways of delivering security that don’t inhibit either agility.”

So, a system that is secure, agile, that satisfies the board / stakeholders and trusts users enough but not too much. Oh and that can detect the unknown unknowns. It’s a tough checklist. No wonder then that CIO and CISO turnover is high…

 

Browse

Article by channel:

Read more articles tagged: Featured, Hacking

Cyber Security