The Cloud: Where Your Partners’ Security Problems Are Yours
We’re seeing the business equivalent of a NASCAR event as companies race to move their information systems to the cloud. This rapid shift is driven by a fundamental change in the way organizations operate today. Few businesses work in isolation anymore. Partners, vendors and even competitors are linked to each other across the Internet in a multifaceted information eco-system. What’s more, the cloud helps to contain or cut IT costs.
But the cloud creates a big problem. A look at any eco-system shows lots of data moving into vendors’ environments, out of view and control. Even if you’re managing security well, you don’t know if vendors’ security practices are as strong and complete as yours.
Not knowing means your company’s digital corporate assets, financial value and a hard-earned reputation are at risk. It’s akin to thinking your house won’t burn down if your next door neighbors’ homes are ablaze. There’s no way you won’t get scorched.
We still see 80 percent of IT budgets going toward traditional prevention technologies. Those initiatives contain less than 2 percent of threats. Fortunately, there is evidence of as much as 20 percent of budgets now allocated toward proactive efforts. Clearly, some organizations aren’t waiting for ne’er do wells to make their presence known.
Your best course of action is to establish an objective, comprehensive process to monitor and measure threats faced by your system as well as those run by members of your information eco-system; add to that the need to evaluate potential participants before entering into business relationships. And, it must involve all potential threats. Assessing security health just by looking at malware is like your doctor just checking your blood pressure then calling it a complete physical examination.
Ideally, such a process lets you look at the state of security at any moment, assess emerging trends and allows you to work collaboratively with partners to reduce risks collectively. Recognize that the bad guys are always doing bad things so an annual manual audit – that usually yields subjective findings – or an intrusive and risky penetration test are no longer the best ways to determine an eco-system’s security health.
The virtues of collective security can be seen in the case of a hacker who compromises a seemingly innocuous system. That becomes a launch pad to attack, infect and wreak havoc across multiple sites in an eco-system. However, a method that continuously scans the full threatscape of an eco-system lets you see the emergence of trends before things get out of hand. If Target, Home Depot and too many other organizations had such a capability in-place, their crises could have been avoided or drastically reduced.
Sharing is a tough concept for managers and executives to accept. But, like change, it is necessary in our interconnected world. The specter of unauthorized intrusion in information eco-systems is ever-present and, reflecting the ingenuity of hackers, ever-changing. Collective security is the mindset that CISOs and their CEOs must embrace.
There is growing evidence that some are getting it. The Financial Services Information Sharing & Analysis Center (FS-ISAC) is a prime example. According to the organization, it is the global financial industry's go-to resource for cyber and physical threat intelligence analysis and sharing.
Still, far too many companies are hesitant to enter into an industry association like the FS-ISAC or create a private one that involves only their partners and vendors. This tentativeness cannot be rationalized. Any vendor in a network whose security is compromised can lead to an increased risk of phishing attacks by using data found by hackers. And that’s just one bad thing that can happen to a good company and its partners.
Senior executives are starting to understand that security is the responsibility of everyone in the organization, including them. For example, business projects no longer outweigh security projects. However, security teams need to stop being the “no” guys. Instead, be units that enable new business opportunities while keeping data secure.