Protecting business assets

This is my second post expanding on Alex Stamos’ Black Hat 2017 Keynote. This time, I am elaborating on his suggestion that security practitioners need to “foresee the problems people are going to see with technologies.” My take on this is that we need to focus more on protecting our business assets rather than just implementing state-of-the-art end point protection, network protection, cloud protection, etc. This post focuses on identifying those assets and connecting your security program to them.

Trends in business technology are analyzed every year by the Society for Information Management, a professional group of 4900 CIO’s and IT Directors. Their most recent report, the 58-page “2018 IT Trends Study,” was published on November 9, 2017. This is one of the few IT surveys published by a non-profit, non-vendor group. One topic the report looks at is: where are IT organizations investing right now? It’s pretty obvious security needs to align with business investment. Each organization will be different and CISO’s will need to reach out to leaders across their organizations to determine their priorities. But, the SIM report provides good suggestions of what to look for, based on their survey of IT leaders.

Here are the top 5 IT investment domains reported for 2017:

No. 2 is already the focus of CSO readers; I’m not discussing it here. What about the other 4? Are you effectively supporting such initiatives in your organization? What are the security implications of these initiatives? How can you be proactive in supporting these business initiatives?

The Analytics/Business Intelligence domain has been the No. 1 investment area for the past 8 years. Apparently businesses still need to forecast markets and internal performance. The amount of data ingested is increasing exponentially and IoT (the Internet of Things) deployments are only increasing the rate. IoT is being deployed in business units for such things as product and asset monitoring, autonomous vehicles, smart buildings and healthcare patient monitoring. One huge security gap is in these IoT deployments. This is an opportunity for security to be proactive, by developing standards and governance to “build security in” to deployments before they go live. To do this, you will need to connect with business leaders, who may be planning IoT implementations before going to central IT services.

According to the SIM survey, 96 percent of organizations say they are using cloud services and solutions (Domain No. 3). Is your organization taking full advantage of the opportunity? Security and compliance considerations still are critical and may be impediments to adoption. The recent Uber breach again brings cloud security into focus. The hackers reportedly accessed confidential information via GitHub and the Amazon cloud. No failure in cloud service is reported. Instead it appears that hackers stole passwords. Was two factor access to GitHub not implemented? This attack also highlights that it is not the cloud that is insecure, but the way it is implemented and managed. Security managers should redirect the conversation from the “insecure” cloud to securing its deployment within their organizations.

The big trend within Domain No. 4 is Agile/DevOps. Business leaders want deployments with a daily heartbeat, or weekly, at most. How to secure applications and systems built at this pace? Some ideas here. One: move the analysis to the left with threat modeling tools. Second: analyze the code testing results as a system, using Application Vulnerability Correlation tools. Third: realize that 100 percent risk free code will not be produced in this environment; implement bug bounties to catch defects before hackers do so.

Domain No. 5, ERP, seems like a ghost from the 1970s. But, today, organizations are augmenting their monolithic ERP systems with line of business focused SaaS solutions. The result is a more complex hybrid environment, in which data integrity and data security are at risk. To get ahead of this trend, you need to work with business leaders and procurement, establish security guidelines ahead of new deployments, and then be an active participant in the deployments of the new capabilities. Not doing this will give rise to “security debt” associated with new ERP investments.

These top five investment domains are those recorded from the 769 organizations that responded in the SIM survey. You should know what the top five are in your organization and figure out how better security can proactively support those.