CompTIA’s IT Industry Outlook 2016 identified proactive cybersecurity strategies as a key business trend to watch throughout the year. Seems like a no brainer, but the reality is that companies have historically taken a more defensive approach to security. That’s now changing.
Our latest research study, Practices of IT Professionals, further explores this offensive shift. The study dives deep into the current state of the security market and the role that InfoSec pros are playing in corporate safety. The study, conducted in February and March, surveyed 500 security professionals in the U.S. to better understand behaviors, relationships and challenges.
While security is not a new topic, companies are showing renewed interest in changing their approach. Cloud computing and mobility have driven the creation of digital organizations, where the reliance on digital data or concern over customer information is greater than ever. To ensure continuity of operations and preservation of reputation, companies must re-think their security strategy. Rather than simply focusing on malicious attacks by building a strong defense and quickly detecting anomalies, businesses are taking preemptive measures to test out their strategies and prove their commitment to best practices.
Within digital organizations, business units have a greater degree of influence on technology decisions. However, security is still an area that remains IT-centric. Previous research from CompTIA has shown that business units consider security one of the primary responsibilities of the IT team in this new normal. In large organizations, this may take the form of a stand-alone team focused on security issues. In smaller organizations, technical professionals will wear multiple hats, with security being one of many duties. Either way, security now spans three separate areas that must be managed; technology, process and education.
Traditionally, security has focused on technology. The secure perimeters that companies once built were made of hardware and software, primarily firewalls for network traffic and antivirus solutions for endpoint devices. While these tools are still necessary, they are no longer sufficient. Adoption of cloud and mobility requires a new set of tools, such as DLP to monitor data behavior, IAM to manage identification across many environments, and SIEM to provide a holistic view of security architecture and events.
Adoption of these tools varies with organizational size and security capabilities. Along with firewall and antivirus, encryption is widely used. DLP and IAM are in the middle of the pack, with SIEM lagging behind thanks to the complexity in operating such a comprehensive tool. As companies bring new tools online, they are building a layered security framework. This model allows detection of threats at different places throughout an IT architecture, but it also requires knowledge of what to do when notifications come from the various layers.
A modern security approach must go beyond technology, though. Security processes are critically important, from the way that different vendors are evaluated to the practices that must be followed to maintain compliance with various regulations. Technology tools protect against technical threats; processes and policy must be in place so that the business environment is not one where threats can proliferate.
These processes can be part of a strong offense as well. The top challenge in building better security, cited by 47 percent of security pros in the CompTIA study, is the organizational belief that security is “good enough.” The measure of success for security cannot simply be the lack of incidents. Proactive steps must be taken to assess the effectiveness of current strategies, compare those strategies to best practices and maintain active corporate policies.
The third and final leg of a modern security approach addresses the weakest link in the chain –the end user. CompTIA research has consistently shown that companies view human error as the primary cause of security incidents, but solving that problem is not an easy one. For many companies, educational efforts across a variety of topics involve new employee orientation or annual reviews – isolated actions with limited efficacy. Today’s workforce is rapidly adopting new technology and needs security training in line with the dynamic environment.
IT pros may not have much prior experience with education, but that’s not unusual; internal education is not necessarily a strong suit for most organizations. Building security awareness is in high demand and companies say that the top criteria for security training is good content on the latest topics. IT workers are the most in tune with these areas, and they can use this as an opportunity to improve the workforce and directly benefit the business.
The connection to business objectives is a key item to remember when pushing for new security measures. Communication of security concerns is a challenge, but business units are likely open to hearing these concerns. The rapid push towards new technology, sometimes bypassing the IT team, has led to issues with integration and security. In digital organizations, business units want to partner with IT in technology discussions, with each party bringing their specialized knowledge to the table. Security is one of the areas where business units look to the tech team for direction.
Whether it is dealing with innovative technology, building new processes or creating effective education, there are many steps that IT pros can take to be aggressive with security rather than building defenses and hoping for the best. By taking the lead in these areas and defining the proper costs and benefits, security professionals can position their organizations for success in the future.