Emerging Tech and Risk AssessmentSecurity Is About Understanding the Gaps, Not Filling Compliance Holes
But with all these so-called emerging technologies floating around, how sure can we be that they are working in tandem, to actually improve an organization's security, rather than hinder it?
Well-meaning employees are often duped by socially engineered schemes, or inadvertently expose some piece or part of information that give fraudsters access to massive amounts of data.
The short answer: We can't. I had the opportunity recently to speak to several industry thought-leaders, and we talked a lot about these technologies.
IBM's Marc van Zadelhoff, for instance, says more interconnectivity lends itself to more insecurity. "How secure am I, really? When I take on new initiatives, I have to consider the security risks," he says. "Everyone is speaking about the cloud ... but even in the cloud, you still have to think about traditional layers of security."
The cloud is not the security catch-all it's been touted to be. And the more organizations move to the cloud, the more diligent they must be about service level contracts, platform and network interoperability, and clear and transparent security measures.
An organization is only as secure as its weakest link, and if the cloud provider you're working with does not share your same stringent security guidelines, then your organization inevitably will have security gaps.
And then there's mobile.
"Mobile is a bigger concern," van Zadelhoff says. "It comes down to assessing risk."
Assessing risk. Not something many organizations have, up to this point, done especially well. It's a concern I discussed at length with several emerging technology experts, including van Zadelhoff, during the Gartner Security and Risk Management Summit near Washington, D.C.
Risk management and security are the new focus, rather than mere check-box compliance. And since no significant number of standards currently exists for emerging technologies, approaching new technologies with risk rather than compliance in mind is definitely a good thing.
When it comes to risk management, more strategy revolves around detecting, preventing and responding to insider threats. It's a topic we're hearing a lot about these days, and it's one that came up during 90 percent of the interviews I conducted at the Gartner Summit. [See Citi Case Exposes Insider Risks.]
Michelle Shannon, vice president of product management and marketing at BeyondTrust, says banking institutions need to adopt a standard of "least privilege," when it comes to controlling insider threats
"Monitoring what people are doing is critical," she says.
Internal threats don't have to be intentional. Well-meaning employees are often duped by socially engineered schemes or inadvertently expose some piece or part of information that gives fraudsters access to massive amounts of data.
"Most users with privileges have root access, which means they have a group password. Once that password is exposed, someone can compromise the root database," Shannon says. By limiting privileges and access, and uniquely identifying users, the risk of compromise of controlled.
That's why it's so important for institutions to have a comprehensive view of what's going on across all channels at all times, says McAfee's Dave Anderson. "This is why integrating all of the devices, the access points to the network, is so important," he says. "You have to have a single analytical dashboard that brings all of this together."
It's the only way to catch anomalous patterns.
But how much of this are organizations really doing? It seems the philosophical foundation that supports security plans is changing. Most business leaders accept that security and risk trump compliance. But old habits are hard to break.
At the end of the day, I wonder how willing organizations will be to put their best feet forward, when the compliance standard only calls for them to stand still.