Getting ahead on security

Security experts share their thoughts on the strategies organisations should adopt to stay safe now and in future

Tags: Dell CorporationF5 NetworksGartner IncorporationKaspersky LabMcAfee Incorporation
  • E-Mail
Getting ahead on security Organisations are looking to develop security strategies which will ensure they are protected in future.
By  Keri Allan Published  August 24, 2014

“It may sound difficult to achieve this level of full visibility but luckily the technology necessary to enable this is available today,” he says. “Zero trust will also be seen in how we deal with threats. We will begin to look at the behaviour instead of trusting. An example could be how we deal with malware and viruses. We will see the vendors moving from signatures and trusted processes to always looking at how these processes and files impact our systems.”

The rise in the Internet of Things (IoT) could also trigger a change in the security sector. Along with the conveniences of the IoT will come new security challenges in the form of data privacy, safety, governance and trust.

“As technology becomes more entwined with the physical world, the consequences of security failures escalate. We could see more security solutions designed to protect IoT,” notes Ravi Patil, Technical Director, MMEA, Trend Micro.

“It’s important to know that looking forward the mix of people, processes and tools will all still have an important role in the management of security. I think all three will continue to be central to an effective defence, just as they are at the moment. That’s not to say that businesses always get the balance right now,” notes David Emm, Senior Regional Researcher, UK, Global Research and Analysis Team, Kaspersky Lab.

“In particular, many businesses overlook the human aspect of security, or don’t engage effectively with staff. Given that many of today’s attacks – however sophisticated the malware used – start by ‘hacking the human’, a failure to do this leaves a company exposed to attack. Often companies have a well-designed policy document, and require staff to sign it, but don’t follow up after an employee’s induction period. Or they fail to tune in to the fact that people have different ‘hooks’ — some learn through the written word, others through verbal communication, others through visual imagery, etc.”
VP and Gartner Fellow Tom Scholtz agrees that all three play a role, but the balance does depend on the solution used.

“Successful security programs will still depend on an appropriate mix of people, process and technology. The nature of the security controls will dictate the balance, e.g., end-point malware is highly automated (technology), while context-based SIEM requires much more investment in ongoing customisation and response capabilities (people and process),” he highlights.

The experts also agree that more companies should consider appointing a chief security officer (CSO or CISO).

“A CISO is required for any mature business to build and maintain an information security program, support defensibility in regulatory actions and balance the need to protect the business against the need to operate the business. As a guideline, an organisation with 150 or more IT employees should have a dedicated information security officer position,” says Scholtz.

“Broadly speaking, the relationship between the CISO and the CIO/IT has two dimensions. Firstly, the CISO acts as an advisor to the CIO/IT to help them make the best risk-based security decisions. But the CISO also has an assurance function, meaning that the role will monitor and assess the effectiveness of security controls in the IT domain,” he explains.

“I think one of the key things that has led many companies to develop the role of the CISO is a recognition that the IT department needs to engage more effectively with senior management,” Emm continues. “In a nutshell, the board is looking at the bottom line, while the IT department sees the detail of security in general and cyber-security in particular. Unless there’s someone in the organisation capable of understanding risks and articulating this in terms understandable to the board, the disconnect will continue. However, the CISO can only be effective if the CISO has visibility at board level.”

However, Florian Malecki, International Product Marketing Director, Dell - Network Security, highlights that a CISO isn’t necessary for every type of business.

“Companies need to invest as much in human resources as they do in technology. In some cases, as in the SMB segment, where cost is a factor, a CISO type role is not necessary and here partners must consider best practices for protecting their smaller clients. It is worth noting that IT security partners have an important role to play to ensure that their systems and data are protected. Without a proper IT security strategy, the business can’t move forward,” he says.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code