Get the most innovative insights
Future-Proofing Your Information Security Strategy
This blog post doesn’t focus on data loss prevention (DLP); it is about security in general. I don’t often write about the broader topic of Information Security because there are large portions of the security space that I am not involved in. However, after much thought, I feel obligated to share some ideas with the larger Information Security community, and specifically Information Security leaders inside of organizations, about what I believe the future will hold.
My responsibilities require me to travel the world and talk to a lot of people. I hear business leaders expressing growing concern at their ability to protect their information and their businesses in the face of seemingly overwhelming security threats. My response is to offer a take on the message that Gary Ryan Blair expresses in the quote above: Don’t look to past paradigms to protect your business. Instead, focus on what’s ultimately important—and within your control—as you move into the future.
Information Security professionals I talk to readily admit that the “perimeter”—that imaginary protective wall around a business and its data—is dissolving. One major driver of this dissolution is the fact that we already live in a hybrid world today. Very few organizations store and use their data 100% on premises and very few are 100% in the cloud. As a result, on-premises security and cloud security are equally important today.
However, digital transformation has progressed to the point where the key question about data has changed. Instead of asking what data will go to the cloud and what will stay on premises, we should ask how long it will be before the majority of organizations don’t operate data centers at all.
Despite the wide recognition of this shift, organizations still try to apply perimeter concepts to a world without boundaries. For example, some organizations are deploying firewalls inside of Amazon Web Services. Why?
It’ my job to look into the future—and the future holds some revolutionary innovations. Consider the concept of quantum computing offers orders-of-magnitude more processing power than any binary system ever could because a single qubit can operate in 256 distinct states, whereas a traditional bit has only 2. The potential power of this type of computing is staggering.
However, most organizations will never own a quantum computer; the operating environments for this type of technology will be prohibitively expensive for most data centers, so it’s likely that the primary model for quantum computing will be Quantum Computing as a Service (QCaaS). Pair that with the rapid growth of Infrastructure as a Service (IaaS) that we’re already seeing, and it’s not hard to envision a world where all workloads are elastic and rented rather than static and purchased—and where the only organizations that own data centers are global governments and cloud services providers.
Many paradigms will change if such a world comes to fruition, but it is the most efficient way to operate and distribute resources. The shift will restructure many capital markets—and it will also challenge many security models.
The Cyber Security Hub published this graphic detailing the disciplines of security and describing the products that fall into each bucket.
This model is helpful for understanding how we have navigated a crowded and confusing information security landscape. However, it is also useful for examining the future of security—and weeding out the sections we can no longer control.
What are you left with? Outside of policy management and limited operations, you are left with control over your data. If you look inside the teal bubble, you also have control over who you allow to access that data and the resources you rent.
Therefore, in this world, all that matters are people and data.
For those of us who are passionate about the importance of Information Security, the scary part of this new model is that most security strategies focus on the purple, blue, gold, and red sections—the sections that I don’t think organizations will control in the future I am describing.
I firmly believe we are moving at an accelerated pace towards the future I have described. I can’t realistically predict exactly when we will get there. When skeptics express doubts about the pace of the digital transformation, I ask them a simple question: “What trends are you seeing that suggest a massive move back on premises for services that have gone to the cloud?”
I just don’t see that trend going backwards. The elasticity, flexibility, and reduced barriers to entry into markets offered by cloud services is too appealing to ignore, especially for smaller and mid-market businesses, which still form the majority of the economy. I cannot imagine a new business starting today and borrowing capital to build out a data center. It would be difficult to imagine not utilizing SaaS and IaaS when those options allow you to be up and running in days instead of months or years.
Information Security leaders should start pivoting now to emphasize the two elements of security that are not likely to be diminished: people and data.
Most important, begin re-skilling your workforce to address the problems of the future. It’s fine to maintain your legacy systems like Security Incident and Event Management (SIEM), firewalls, intrusion detection and prevention services (IDS/IPS), and endpoint protection, but don’t make those the center of your strategy. If you do, you’re likely to see diminishing security efficacy over time.
If there’s one thing digital transformation should have taught us so far, it is that business is going to move towards innovation, efficiency, and mobility as quickly as possible. The advantages the future offers to business are essential to retaining a competitive advantage, and security leaders will not be able to slow or prevent the evolution.
We must prepare now so we can be ready to protect the business as it continues to innovate, rather than being dragged through digital transformation kicking and screaming. It’s time to challenge our thinking and finally accept there is no perimeter and we cannot build a castle. The future of Information Security is asymmetrical, dynamic—and already a reality.
When it’s time to future-proof your DLP strategy, you may still need to convince your leadership of the value of that change. Download the case study Making the Case for Critical Asset Protection and learn how a major cancer center implemented a Critical Asset Protection Program™ (CAPP) with InteliSecure and gained control of the flow of information inside and outside the organization.
July 17, 2019
Securing the Digital Transformation Part 2: Necessary Change to Secure the Digital Transformation
Now that digital transformation is better understood, we can start to look at necessary changes to people, processes, and technology in order to adapt to the new technology paradigm. It is important to remember that digital transformation is not something to be resisted but rather embraced. The first change that is necessary for security professionals is a change in mindset. Security teams should not be focused on saying “no” to the business, but rather focused on enabling the rapid deployment of transformational technology in a safe and secure manner.
Just like their peers leading Digital Transformation initiatives, security teams must use new approaches to adapt and deploy solutions. Why? We live in an age where change is so rapid that every security program must evolve quickly in order to remain relevant. Now more than ever, security is a journey and not a destination. Therefore executives must think about data protection in smaller, rapid, ongoing development cycles instead of the occasional large, discrete project. We must safeguard sensitive information for the entire movie, not just during one snapshot in time.
(By the way, we will soon be unveiling an entirely new approach to data protection that will help you keep up. Data protection will no longer be an event but an ongoing process that continually reduces risks.)
In part 1, it was mentioned that many security leaders will not consider projects that do not have a clear return on investment. Security programs then must be examined through the same lens. For a long time, many have thought a security program’s Return on Investment (ROI) could not be measured at all. I strongly disagree. For the better part of a decade I’ve helped organizations quantify the business value of data protection. As business executives embrace Digital Transformation, however, any executive, including those working in security, will find it increasingly difficult to obtain resources for projects that do not show a quantifiable benefit to the business.
Digital Transformation means even more adjustments for the Chief Information Security Officer (CISO), a position that’s changed significantly over the last ten years. Historically, many CISOs reported to CIOs, but along the Digital Transformation journey, many organizations have reconsidered the relationship.
Why? Facing immense pressure to make radical, transformational changes, there’s a risk the CIO will ignore security concerns and cut corners in pursuit of their goals. Concerns about the fox guarding the henhouse have caused some organizations to restructure in order to allow greater CISO independence. That way CISO’s can more objectively safeguard sensitive data by checking the safety of new technologies and practices from outside the CIO’s influence.
And in the words of Spider-Man, “With great power comes great responsibility.” CISO’s charged with this watchdog role during Digital Transformation must have business, in addition to technical skills. Greater independence necessitates this change since the CISO is suddenly accountable for managing a budget and crafting investment justifications. CISOs lacking business acumen should immediately begin broadening their skills.
Even before Digital Transformation grabbed headlines, perimeter-based security was on life support. Now that idea is officially dead.
In today’s distributed on-premises, cloud, hybrid and mobile computing environments, there’s no longer a perimeter to protect. Legacy technologies such as firewalls, IDS/IPS, and endpoint protection platforms simply don’t do enough. That’s because today the majority of data traffic moves outside the business network on devices the business doesn’t own. How can CISO’s be successful when it comes to Digital Transformation’s rapid advances?
I recommend dynamically identifying and classifying classifying data deemed sensitive or critical to the business and then building in protections to follow that data wherever it goes. Information Rights Management solutions separate sensitive from commodity data, then Data Loss Prevention and Data Classification, when paired with Cloud Access Security Brokers, make it all possible. For an extra layer of insider threat protection, I recommend deploying User and Entity Behavior Analytics as well.
Along with an organization’s shift to new technologies that enable Digital Transformation, investment in new security approaches must also occur. Firms invest much more in firewalls and endpoint protection platforms than can be justified in the era of Digital Transformation. Sticking to the past only creates more risk for the modern, digital business.
Today’s vague buzzword, Digital Transformation, in truth describes a path for established companies to compete more effectively in the customer-driven era. Along with it comes necessary changes to people, processes, and technologies, including adoption of agile development practices, credible financial justifications, and in many cases, an entirely new role for CISOs.
Digital Transformation means a healthy shift in security strategy, too. Gone is the outdated “castle doctrine” of perimeter-based security and replaced with protecting data wherever it’s created, stored, moved or accessed. In a sense, Digital Transformation may be the best thing that’s ever happened to our discipline. In this quickly evolving, mobile, hyper-connected world, we’re encouraged to focus on what information security was meant to be all along: protecting data and people, not devices and networks.
Securing the Digital Transformation Part 1: Defining Digital Transformation
By: Jeremy Wittkop
If you’re like me, hundreds of “Digital Transformation” marketing emails fill your inbox every week from vendors pitching their products and services as “transformative.”
I thought I understood the trend’s overall benefits after reading extensive research from sources such as the International Monetary Fund and the World Economic Forum. But countless vendors have since associated their offerings with the concept, and I found I had lost track of what the term actually meant. I’m probably not alone and the definition of “Digital Transformation” likely remains unclear for many.
So I set out to understand the idea a little differently—through the lens of a security professional intent of perceiving it in less conceptual and in more practical terms. A better understanding of the trend makes it possible to protect an organization’s most sensitive information throughout the transformation. I’ll share what I’ve learned below, including the fact that Digital Transformation in the end prompts a healthy shift in security strategy.
First, what is digital transformation? Through this journey, I found many people that told me they knew what it was, but their definitions of it were wildly different. How can that be if they all understand it? In my experience, while most people understand digital transformation as a concept, it can be expansive and difficult to define. .
This led to the first problem. How can we effectively communicate something if we don’t agree on what it is? We can’t! Much less, how is transformation possible when the end state we seek is hazy?
Not only does a lack of clarity limit an organization’s successful change, in my opinion it also weakens an organization’s security posture. The two depend on each other, and I believe as security professionals we must always reduce ambiguity in order to protect our organization’s most sensitive information.
So I set out to understand the term “Digital Transformation” from a people, process, and technology perspective. I will share what I’ve learned in part 1. Once that was clear, it seemed easier to ensure our security practices can keep pace with this phenomenon, which will be outlined in part 2.
It turns out even the experts muddy the concept. I’ve chosen a few favorite sources that helped me distill a clearer meaning.
The European Union’s I-Scoop defines the term as:
“The profound transformation of business and organizational activities, processes, competencies and models to fully leverage the changes and opportunities of a mix of digital technologies and their accelerating impact across society in a strategic and prioritized way, with present and future shifts in mind.”
That pretty much describes anything that consumes electricity. I-Scoop’s statement and supporting narrative goes well beyond business applications and discusses how Japan is using digital transformation for societal benefit. The group’s intentions are honorable, but it doesn’t lead to a useful definition.
The second source is a little more business-centric. The Enterprisers Project defines digital transformation as:
“The integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It’s also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.”
OK, that’s a little better. This version scopes the definition narrower than affecting the entire planet or society as a whole, but it’s still too broad, referencing all aspects of a business. What both sources have in common is the idea that this is a big, transformational change driven by technology, and that it requires a change in thinking as well as a change in operations.
The third source I consulted is one I rely upon frequently, CIO Magazine. Rather than invent their own definition, they quote an authority on the subject: George Westerman, principal research scientist with MIT Sloan Initiative on the Digital Economy. He says:
“Digital transformation marks a radical rethinking of how an organization uses technology, people and processes to radically change business performance.”
His explanation is the most specific, calling out digital transformation as a change in how people, processes, and technologies combine to provide business value. He best summarizes the fact that organizations must undertake their digital transformations with a wary eye on market disruption. Now more than ever, established companies face significant risk that new, digitally native competitors can quickly arrive and put them out of business. Customers today demand more, and firms that can’t adapt won’t survive.
With a better definition in hand, let’s look closely at how businesses are changing people, processes, and technologies to optimize their operations and better engage customers. Then we’ll examine the security program changes that must accompany these initiatives in part 2.
A very important shift associated with Digital Transformation is the widespread use of “agile” rather than traditional “waterfall” development processes. In fact, the two seem inextricably linked.
Digital Transformation articles commonly reference user stories, sprints, and continual evaluation, essential agile methodologies. Experts write that traditional waterfall methods are simply too slow to react to changes in the marketplace. And since rising customer expectations are driving businesses to achieve results even faster, traditional hierarchical decision making and approvals associated with waterfall development projects are also being replaced. Now agile teams make decisions much more quickly thanks to customer input during each development sprint.
The need for speed and agility also gives rise to use of another core agile practice: Minimum Viable Products. Rather than wait to deploy robust digital solutions that meet every conceivable use case, firms using agile methods introduce basic capabilities quickly and enhance them as they go. The MVP philosophy to get to market quickly and iterate after the fact forces companies to streamline processes and eliminate unnecessary or wasteful activities.
Another important shift taking place with Digital Transformations is the trending requirement to show the economic value that comes from the change. In fact, many technology leaders refuse to consider new projects if their value cannot be quantified. This is a significant change in thinking, and one security leaders should pay attention to.
Most experts agree Digital Transformation is so impactful that it should be directed top-down by the CEO and the board of directors. In reality however, the CIO is often charged with implementing the initiative. Often CIOs must create new roles to help manage these projects, such as an initiative leader or a Chief Technology Officer to evaluate the technologies needed to transform business operations. And hiring isn’t limited to IT. Once the firm makes changes, people must support, maintain and enhance the new solutions.
In order to perform their essential functions in the transformed organization, many employees will need to be retrained. Many times there is a shortage of talent for organizations to hire specialists to operate the new processes and technologies developed as part of the initiative. Some will embrace the challenge and the opportunity to develop new, more marketable skills. Others will become disgruntled and could even become insider threats. Therefore, leaders must effectively manage the people-related risks during the transition.
Fortunately during this era of unprecedented change, firms such as Prosci, experts in organizational change management, can address this foundational element. Their ADKAR model, which stands for Awareness, Desire, Knowledge, Ability and Reinforcement, defines the successful phases each employee must experience in order to successfully adapt.
A staggering array of technologies can potentially play a role in Digital Transformation, which is precisely why securing data along the way is so difficult. Technologies that don’t even exist today will become part of tomorrow’s computing ecosystem, so teams must embrace and evaluate emerging technologies quickly. While it’s difficult to predict specifically what happens next, here is a list of sample technologies currently part of many Digital Transformation initiatives:
· Software as a Service
· Public Cloud Infrastructure
· Mobile Applications
· Connected Technology (IoT)
· Wearable technology
· Artificial Intelligence Driven Solutions
· Machine Learning Models
· Autonomous Vehicles
· Virtual and Augmented Reality
This list is in no way exhaustive, but it shows the challenges facing traditional security paradigms. In the upcoming part 2 of this blog, we will explore changes security programs must make in order to secure the digital transformation.
May 6, 2019
Rethinking the Insider Threat While Mining for Data Security Gold
Many people believe that the vast majority of cyber threats involve the intentional theft of credit card numbers or Personally Identifiable Information (PII). That is not true.
Many people also believe that the most prevalent incidents involve malicious software and ransomware. That is also not true.
The news cycle drives these perceptions. Stories about malicious software, and ransomware in particular, are a media favorite. A ransomware attack is sensational. It features a villainous criminal demanding payment and a helpless victim pleading for his mercy. Even better for news outlets, this dramatic story requires little investigation or technical understanding to report it. But despite the media hype, this form of cybercrime represents less than 1% of actual attacks.
The truth is that the vast majority of stolen information is taken by someone who already has credentials. Sometimes people unknowingly share sensitive information through phishing or social engineering directed by an outside agent. But at other times, people act maliciously or in their own financial interests. Case in point is the story of American Semiconductor. An employee stole sensitive intellectual property and put it on a removable USB device in exchange for $2 million.
As one of the largest Managed Data Protection practices in the world, InteliSecure uniquely understands how people interact with sensitive information. We monitor the behavior of over 2 million users in over 140 countries around the world every day. As a result, we see both intentional and accidental data exposure, and we have amassed countless stories of how people really steal it. These days much of it winds up on the Dark Web. Details of these stories cannot be told due to client confidentiality, but we have built a library of anonymous examples to share, all of which came from our innovative Golden Nugget Program.
Several years (and countless gray hairs) ago, I led InteliSecure’s Managed Security Services practice. A proponent of variable compensation, my CEO at the time decided that we needed to make changes in Operations. He thought our people needed additional motivation. While incentive compensation is relatively straightforward for sales and marketing, structuring it correctly for our Security Operations Center teams was a bit of a challenge. I told him I’d work on it.
My first step was to research what my peers were doing. After all, many good ideas were probably already in use. I discovered that majority of Managed Security Service providers used a variable compensation structure to incentivize behaviors that led to profitability. For instance, many firms referenced common call center metrics such as the volume of tickets or how fast, on average, agents closed them.
I knew these measures did not positively impact the client experience, and in many cases they had an adverse effect. I’m sure you’ve called customer service at a cable company at least once in your life. The representative probably asked your name, located your account, and immediately started pushing the ticket to a close, regardless of whether your problem was solved. Measuring employees based on productivity drives this type of behavior.
I wanted to do things differently. Rather than reduce costs, my goal was to reward the behaviors that helped us better acquire, satisfy, and keep clients. We had to focus on client value.
One day after skiing amazing powder at Breckenridge with an InteliSecure executive, a salesperson, and my friends on the Managed Security Services team, we had an idea. We were having a good time relaxing and watching a show called “Gold Rush” on the Discovery Channel. Gold Rush is about gold mining, a very slow, mundane and laborious process. But thanks to the magic of television, the Discovery Channel made it fascinating.
One of my colleagues remarked, “What we do is like gold mining. We create security policies to find rare security events, which is similar to a gold miner picking which plot of dirt to prospect. Obviously if there’s no gold in the dirt in the first place, you won’t be successful finding it in the end.”
He continued, “Our triage process is a lot like running dirt through a sluice box. If it’s done well, the miner maximizes his yield, but if it’s done poorly, the gold washes into the stream below. When our engineering team sets up the systems, we’re like the miners building the sluice box. If we don’t do a good job, the process fails. Our entire team must work together to find Golden Nuggets.”
At that very moment, our Golden Nugget program was born. It was simple. If our team found a valuable security incident for our clients, we would reward everyone who contributed to that discovery. We also didn’t want to decide the Nugget’s value in a vacuum. We asked our clients to participate in the process and rule whether the finding was significant. We continue to showcase Golden Nuggets today during business reviews with our clients.
When we first started the Golden Nugget program, we simply compensated people for any material security event they found. But for really big finds, we gave them extra special recognition. You can read more about one amazing story in my book, Building a Comprehensive IT Security Program (https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines-ebook/dp/B01JRFGQY2), but in summary, we caught a user stealing a substantial amount of intellectual property at one of our manufacturing accounts. This proprietary information cost $30 million to create, and it pertained to a product line expected to deliver $3 billion in revenue over the next 5 years. The perpetrator intended to leave the country and illegally mass produce a counterfeit version of the goods. When the individual went to trial, investigators discovered he had successfully made away with similar information from our clients’ two top competitors. He is currently serving 10 years in federal prison.
When our SOC team agent surfaced this gem, we realized that not all Nuggets are created equal. We needed to recognize the best of all Nuggets we found. Doing so motivated our Managed Services team to compete even more to find them. Thanks to the increased volume of great finds, we celebrate the very best of them during our quarterly awards.
Since the Golden Nugget program’s inception in 2013, we’ve seen more than our share of valuable Nuggets. In the beginning, broken business processes accounted for most of them. Later, however, we saw a disturbing rise in the volume of incidents when users inappropriately shared intellectual property. Although much of it was accidental, a surprising percentage was intentional.
Why the change? My colleagues fault three factors. First, many of our clients have matured past their initial compliance requirements and have started to build policies protecting intellectual property. Second, spurred on by competition for Golden Nuggets, our analysts have become much better at finding the proverbial “needle in the haystack.” Third, the lines of acceptable behavior pertaining to sharing sensitive information has blurred significantly as the traditional security perimeter has eroded. Since it’s easier to share in today’s cloud-connected world, people now think it’s OK to share whatever they want.
I think these are valid explanations, but in my view they don’t tell the whole story. Here’s what I call the inconvenient truth:
More people than ever are stealing Intellectual Property and other sensitive data because the market for trafficking stolen information has matured. Theft has become for many a low-risk, high-reward occupation.
Most industry analysts agree that the success rate for data theft is around 95%. Surprisingly, only one criminal in twenty gets caught because most organizations do such a poor job of protecting their data. And of those detected, very few offenders will ever be prosecuted. They’re simply terminated and then go on to repeat the same behaviors elsewhere.
Protecting data is hard, and most organizations aren’t doing it well. Unfortunately companies place too much emphasis on perimeter security and not enough on protecting their most sensitive information.
The world has changed. To be successful, companies today must do more than retrofit their perimeter technologies—they must implement comprehensive approaches to protect all types of data, no matter where the intrusion occurs. Right now, it’s much easier for an insider to pilfer behind the walls than it is for an outsider to penetrate a firm’s thick perimeter defenses. Until this changes, criminals will continue to exploit this common vulnerability without fear of getting caught.
That is, unless they happen to work for an InteliSecure client.
Forget what you may have heard about data protection. Despite beliefs that DLP will only catch well-meaning insiders and broken business processes, we can tell you from our many years of experience that there’s significant risk in not doing DLP well. People who say data protection programs don’t work are among the 95% who are doing it wrong. Criminals are stealing your data, and technologies do exist to catch them. It’s time to make a change.
We can help. Our Golden Nugget program is just one example of the lengths we go to safeguard our clients’ most sensitive information. Put our expert teams in our Security Operations Center to work for you. We can find the nuggets that boost the value of your security program and deliver the level of protection you deserve.
The Dark Web is an emerging threat for everyone in IT security, but most people don’t know what it is. InteliSecure is planning a webinar with Emily Wilson from Terbium Labs, an expert who does a phenomenal job of explaining how it works. We will update this post with a webinar link when it’s scheduled, but you can always check the InteliSecure Bright TALK channel for more information: (https://www.brighttalk.com/channel/17408/intelisecure)
Know What We're Up To!