Adopt a data-centric approach to security: Heidi Shey,Forrester

S&R pros worry about customer concerns over privacy, but this worry varies in intensity depending on the country and the existing regulatory, business, and customer climate, says Heidi Shey, Senior Analyst serving Security & Risk Professionals, Forrester.

How will 2016 define the future of Security?

Customer expectations and concerns about security and privacy will help to drive further investment and change than regulation. How companies handle and protect sensitive data will be an important component of their brand and overall reputation. Data protection is now a corporate social responsibility.

In a Forrester report ‘Predictions 2016: Cybersecurity Swings To Prevention’ which applies globally indicates that S&R pros (security and risk professionals) will increase spending on prevention by 5-10%. This is a signal that firms will return to a focus on the basics for cybersecurity, and consider prevention as important as detection and response. 

S&R pros worry about customer concerns over privacy, but this worry varies in intensity depending on the country and the existing regulatory, business, and customer climate.

Forrester’s Global Business Technographics Security Survey, 2015 with 675 to 1,062 global security decision-makers (20+ employee companies) rated their concern for each source of information risk and the potential impact on their organization. India ranked highest with 76% followed by China at 74%. The number for US was 48% and France was at 42%.

In the European Union (EU), where data protection regulation is the high-water mark for the rest of the world, a lower — yet still sizable — percentage of security decision-makers express concern. However, there is a silver lining to this concern and awareness: A growing number see a business opportunity and view privacy as a competitive advantage for their business. This rings true especially in countries like India, where 45% of security decision-makers share this sentiment, compared with 22% in the US

What about new age technologies like APT / next gen firewall / DLP? Are they for real?

They are for real. APTs are a real threat globally. Next gen firewalls are one technology of many that security professionals have to choose from regardless of region; ultimately we have to remember that it’s not just about accumulating the latest and greatest tools and technologies, it’s about your higher level security strategy and acquiring the appropriate tools to execute on that strategy. It’s how you use the tools.

Next gen firewalls are one of three innovations that help companies execute on the Zero Trust model of information security. The development and adoption of Virtual network infrastructure (VNI) has accelerated the adoption of Zero Trust networking tremendously. And third being Network orchestration solutions. The desire for agile network programmability powered by centralized management is key to 21st-century networking. It’s also key to security.

DLP is an important tool for security and privacy. It is also an evolving technology, and increasingly we find DLP as a feature embedded within other security tools. DLP is not, however, a silver bullet. To be effective, firms have to consider processes for DLP maturity and success.

DLP is not, however, a silver bullet. To be effective, firms have to consider processes for DLP maturity and success.

Your list of Dos and Don’ts for CISOs of Indian companies for 2016?

DO: If you have not already, evaluate your security maturity and develop a roadmap for steps to take to reach the next level of maturity. Consider the types of security metrics that you are collecting and reporting to the business, and how these metrics connect to higher level business goals and initiatives. Assess your firm’s security and privacy culture, and attitudes around sensitive data handling and use; identify how you can improve and foster a culture that respects data security and privacy. 

DON’T:  While compliance is necessary and important, do not base your security strategy solely on meeting compliance requirements. You’ll miss out on protecting sensitive data that doesn’t fall under compliance, and risk reinforcing the notion that security is a cost center rather than business enabler.    

While compliance is necessary and important, do not base your security strategy solely on meeting compliance requirements. 

 What new developments are expected next year including the importance of cloud and mobile security by enterprises? 

I believe we’ll see more developments around security analytics and machine learning capabilities in security tools. The notion of harnessing security data to protect sensitive data, and gaining greater awareness about data movement as well as context will help to better protect sensitive data.

There are many approaches that organizations can take for mobile and cloud security. At the root of it, focus and bring the controls back to the data (take a data-centric approach to security). Gain visibility, and control the access and the use. The data is what ultimately matters here. 

Yogesh Gupta is executive editor at IDG Media. You can reach him at yogesh_gupta@idgindia.com or follow @yogsyogi1