Data Security needs a major mindset shift

SafeNet explains how ‘secure breach’ is not a contradiction

Tags: SafeNet Incorporated
  • E-Mail
Data Security needs a major mindset shift
By  Tsion Gonen Published  March 10, 2013

As the Chief Strategic Officer of a global information security company, I’m sure you’ll find it shocking that I believe a data breach does not have to be a catastrophic event for any organisation, its customers or users. In fact, I’ll go as far as to say that a breach has the potential to be nearly benign. Let me explain.

With the IT industry having focused almost exclusively on perimeter and network protection to prevent breaches, it is time for security experts to admit that today’s typical defenses can’t work by themselves.

Why are we not winning? Because we stubbornly adhere to Einstein’s definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that ‘same thing’ is this: Responding to breaches by investing disproportionate sums of money in perimeter defenses in a futile attempt to prevent breaches. The industry needs to stop living in the past. It needs to try something new. It needs a new mindset.

My initial recommendation is a simple one: those tasked with securing an organisation’s data need to go through a magnificent ideological shift. It’s not just about another security technology that a vendor wants to tout. It is far more important than that. We must revolutionise our approach. And here’s why.

Ask yourself if your security philosophy has changed much in the last 10 years. I can assure you that it almost certainly has not. You’re likely to be spending 90% of your security budget in the same way you did in 2002 — spending on perimeter and network defences.

I cannot think of an IT industry that has stayed the same as long as ours has. It’s as if we’ve had blinders on — telling ourselves to solely stick to breach prevention. Take a look at other sectors within the IT industry and you’ll see huge change from just 10 or even five years ago because they didn’t have a choice. The way people demand, use and share data is nothing like 2002. Today, business demands that data becomes free. The problem and the solution within the IT security arena just don’t match up. It’s no longer just about the network or our PCs. It’s about the actual data. The Cloud, SaaS, mobility, BYOD, etc. has made it just that. As a result of all this new access, we must transform our mindset from breach prevention to breach acceptance.

Let me explain. I am not saying that organisations should stop investing in key breach prevention tools or do away with layered security. I am suggesting that instead of focusing all our resources that get breached time and time again, we should place our bets on strategies that protect our most valuable assets. CIOs and CISOs should always presume to be functioning in a compromised state.

Instead, put yourself in the mindset of the hacker and know what he/she would want within your organisation. If you do, you’ll quickly realise that protection must be moved closer to what really matters — the data itself. If the protection is closest to this vital asset, then what you’ve created is self-protecting data that doesn’t rely solely upon perimeter defences for protection.

In essence, by attaching the protection to the data, you’re killing the data once a breach has taken place and you’ve either made the breach largely irrelevant and/or greatly minimised its impact. This constantly compromised mindset is what can maintain regulatory compliance, mitigate financial risk, save a corporate reputation and importantly, retain the trust of customers and business partners.

Zappos, the online shoe and clothing retailer, is a perfect example of how this new approach can be a game changer in the fight against data theft or loss. Zappos said that an attacker was able to penetrate their perimeter defences and gain access to some data such as customer names, email addresses and shipping information, but due to encryption that scrambled passwords and credit card numbers, the attacker was left with little of any actual value. There can’t be a larger disincentive for hackers to spend the time attacking systems if they know they’re not likely to find much in the end.

The answer to instilling this new security approach lies with encryption. Encrypting data is equal to killing the data the moment it falls into the wrong hands. Encryption on a massive scale is not simple. In fact, you can even lose your data if it’s not properly deployed. It’s a lot of encryption keys, a lot of management and a ton of backup. But if deployed properly, encryption technologies make for nearly bullet-proof protection that is scalable and manageable.

With today’s love of the cloud and virtualisation, encryption can arm the owner of data with the confidence that they are still the true owners of information. With encryption, it’s not just out there floating around and being managed by someone else that may or may not have the most powerful security. Encryption allows true ownership of the data to be retained by its proper holder. This means that compliance and regulation become less of a headache and more of an added benefit provided by encryption.

This means that encryption is not only the clear answer to keeping data in the right hands, but also in meeting compliance and regulation requirements — a massive mutual benefit that can turn what used to be an on-going headache into a requirement you simply already meet or exceed.

Keep in mind my previous notion that hackers hate encryption more than anything else. If they invest time and money into an attack and get nothing in return, they’re much less likely to attempt an attack at all. Therefore, if organisations continue to rely solely on perimeter and network defences, we’re going to continue to see the steady stream of breaches that result in potentially devastating outcomes. It’s my contention that it’s time for great change, and that acting the way organisations acted just five or 10 years ago is the fastest path to totally losing the IT security battle. Fear can no longer drive security efforts. Rather, an acceptance of breaches is a much more proactive approach that can usually guarantee the best possible outcome.

Accepting a breach is something those within the security industry will find appalling. But I challenge our industry to identify another approach that places the protection even closer to the data. Mass-deployed intelligent encryption makes data and its security one. Encryption can be deployed throughout an entire organisation, utilising data and data type agnostic solutions that are able to encrypt and decrypt across multiple repositories and global ecosystems.

We’ve learned that the endless fear mongering and reactive product advertisements aren’t part of the solution — they’re actually part of the problem. We should no longer let fear drive the IT security landscape. I encourage CEOs, CFOs and CSOs to no longer turn a blind eye to the simple fact that breaches are happening and they are not going away.  Simply accept, be proactive and protect — the data itself.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code