Brian McEvilly, Chief Information Security Officer (CISO), takes a look back at IT over the past three decades and identifies some of the key points businesses should be addressing if they want to keep up with the rapid pace of digital transformation.
Over the course of the last three decades, what we have collectively known simply as ‘IT’ has changed dramatically. In various organisations from retail, manufacturing, critical infrastructure, finance and logistics, the technology advancements vary dramatically. From slow and steady evolution that is still as familiar today as it was in days gone by, to other environments, where the pace of change leaves in its wake, an unrecognisable infrastructure that is often difficult to fully articulate, describe and most importantly perhaps, control or protect.
From mainframe systems with punch cards, floppy disks for installation of entire Operating Systems and business applications, CD-ROMs and on-premise Hypervisors, to Public, Private or Hybrid Cloud, PaaS, IaaS, SaaS or containerisation – you could be excused for feeling a little lost, whether you’ve been in the industry for many years or you are just at the start of your IT career.
As CISO within a Managed Service Provider (MSP) who deals with many existing customers and who also speaks to new prospective customers daily, it is fascinating to recognise this full spectrum of infrastructure, common understanding, expectation and conditioned best practice ideologies. For those businesses that haven’t already undertaken a digital transformation, the challenges are typically modest, familiar and in most parts, mitigated through closed circuit networks/communications and limited access to systems. Business confidence in secure IT is achieved through anti-virus and a perimeter firewall (still the most common controls perceived to ensure ‘secure system design’) which allow the senior management team to believe they are operating within their risk appetite.
In contrast to this, many businesses have looked to diversify, change their traditional methods of consumer engagement and in a lot of instances, had to turn to online trading, e-commerce or looked to technology to introduce the operational efficiencies needed to maintain competitive advantage. Technologically, this places significantly higher reliance on technology and tends to result in a need for immediate response times, instantaneous transactions, big data analysis, aggressive RPO, RTO and SLAs. In these businesses, confidence in secure IT is often achieved through risk transference (where possible) or mitigated to a level within their risk appetite through external verification, audit or certification attainment.
Myth or reality?
Whilst this may seem like two ends of a spectrum, many conversations with companies at varying points along their journey, include comments such as:
1. Public cloud is safer than on premise
2. My data is secure if I go SaaS
3. We need agility so Cloud is the only option
4. GDPR doesn’t impact us because our data is hosted elsewhere
5. We don’t have an IT budget because we’ve never been attacked
6. Our staff have all had training, so we don’t need e-mail protection
7. Hackers aren’t likely to get us because we don’t hold any data of interest
8. The Board don’t see the value in investing in IT
The reality is there isn’t a single size that fits all or one solution that appeals to all budgets and this is why there can be so much confusion about what is needed or what does good look like.
When we realise the full extent of IT from the more basic, to most complex design and plot ourselves against it (which is what we are conditioned to do), what should we be thinking, what questions could we ask, how do we know what ‘appropriate’ means from one situation to the next and how do we avoid technology envy or technology for technologies sake?
So, what should we be thinking?
1. What is our business risk appetite? Is it defined, understood, communicated, measured, reported against and is it objective?
2. Do we have a budget for IT security, do we need a budget and what value should this IT security budget deliver?
3. What does ‘best practice’ mean for me, in my business?
4. How do we measure what we have or what we need?
5. Do we suffer internally from the Dunning Kruger Effect (in short, we think we understand our position because people with insufficient knowledge/ability/understanding have determined we are not at risk)?
Top 5 questions business leaders should be asking:
1. Does the data we hold have any value?
2. Are we a known entity/brand?
3. Do we provide any service or have connectivity to any brand names or companies of interest?
4. How do we know what happens across our systems and infrastructure?
5. What would be the impact to a full-scale compromise?
How do we know what ‘appropriate’ means?
1. Do we hold documented processes/policies/procedures surrounding IT security?
2. Do we understand the ‘Five Functions’ as outlined within the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity), namely, how we; Identify, Protect, Detect, Respond and Recover?
3. Within our business, do all roads lead to one or two people or one/two technologies (i.e. Antivirus and Firewall), have we risk assessed our landscape and can we assure the Board that the controls or staff we have in place are appropriate to the highlighted risks?
4. If we were compromised, can we evidence sufficient knowledge, understanding, awareness, training/education and investment in adequate and appropriate personnel, outsourced agreements and technological solutions to demonstrate diligence, responsibility and accountability for data protection?
5. Is security just an external risk, or do we consider insider threats as well?
Tech for tech’s sake?
It’s really important to avoid technology envy or technology for technologies sake. You must learn to:
1. Understand your environment and obtain help (independently or from peers) to identify risk
2. Be thorough when reviewing the infrastructure and consider all points of access both internally and externally
3. Now the first two things have been done, look at what you need to address your risks (consider the aforementioned Five Functions)
4. Where staffing, personnel or resource is finite and Managed Services or recruitment are not an option, then consider machine learning and artificial intelligence, this is different for each business and significantly depends on technology maturity
5. Walk before you can run, implement the basic controls first and build upon them rather than aiming for utopia, the goal posts will always move and IT security does not stand still, so prepare to implement continuous evaluation, risk reviews and ensure objective KPIs are provided to the Board each month – this ensures full visibility and ongoing awareness of risk, importance, security posture and can help raise the profile of compliance and governance strategies.
For more information on how Frontline IT Consultancy can help you modernise your networks for future growth, contact the team today: info@frontline-consultancy.co.uk
