The Wall Street Journal recently covered a PWC study that concluded that since security budgets have stopped going up, our corporate security must be going down. While that is certainly one possible outcome, I believe that if you securely harness the technological advances in cloud and mobile that are simultaneously sweeping enterprises around the world, and combine them with the latest tools and techniques in cybersecurity, it is possible to match our growing threats step for step, even in these fiscally restrained times.
I do agree with the survey respondents that everyone should still start with a modern risk analysis, which will give them a clear picture of what their threats are, where they are coming from, how they are getting in, and what they are getting out. This process is ideal for providing the enterprise leadership (CEO, CFO, CIO, Board) with the knowledge they need to make their risk decisions — i.e., what to defend, and how much to spend. But unlike in the old days (last year!), it’s now possible to get a lot more cybersecurity without a lot more cybersecurity budget.
I can think of three ways of providing more “cyberconfidence” without breaking the bank:
CLOUD: It’s big, it’s fluffy, it’s elastic, and it’s already in your enterprise. You may not call it that, but enterprises have either already allowed some sort of cloud, or their employees have just brought their own from home. The worst thing an enterprise can do in this era of free and portable cloud services is to ignore them or deny they exist. That will only serve to increase employee work-arounds and increase the risk of huge chunks of your property flying out a door that you can’t even find, let alone lock. But if you plan accordingly, you can set up a very useful cloud program that encourages secure use of these highly efficient storage and computing services, all the while improving your risk posture without a big hit to the security budget — and it’s paid for by real savings that clouds bring to datacenters, real estate, M&A, and more.
MOBILE: It’s everywhere and it’s taking over your enterprise. Employee-owned mobile device programs, called Bring Your Own Device or BYOD, are being dictated by a strong- willed staff that would sooner lose their corporate laptop than their personal mobile phone or tablet. Enterprises that try to disallow BYOD on their networks are being worked around faster than they can spend money to try to keep these devices out. The better move is to design a secure way that employees can use their own equipment to do their work, without increasing your risk. This is possible now if you design security in from the get go, instead of expecting employees to bolt it on. Offering your own app store for approved apps; offering secure social media for corporate use; and providing a safe sandbox for employees to use all their unapproved apps without permanent damage to your enterprise, are fast becoming the new norm. The suite of mobile countermeasures that is now available for most brands of devices would rival many corporate security offices, and like cloud, this is all paid for out of the real cost avoidance of no longer buying phones (and in some cases laptops) for every employee.
MANAGED SECURITY SERVICES (MSS): Just plug in! You don’t generate your own electricity anymore, you just plug in because it’s cheaper and more effective than having a coal-burning steam generator in the cube next to you. Much of security has now gone the way of electricity, where it’s not only easier to simply plug into the services you want, it’s also a lot less expensive (short and long term) and a lot more effective than trying to do it yourself. It’s easier because all you do is select which services you need, allowing you to get back to your core business, and leave the hiring, training, building, operating, evolving, monitoring, alerting, etc., to pure security professionals that live for this stuff. It’s cheaper because the security infrastructure is built once, and shared across thousands of customers, and you only pay for what you use. And it’s more effective because you get the customized benefits of massively parallel global Security Operation Centers (SOCs), and the most highly trained professionals that have access to real-time threat data and state-of-the-art analysis labs that can solve once, and share solutions with everyone. DIY security is so yesterday.
Cloud, Mobile, and MSS are just the tip of the iceberg. Don’t be discouraged by surveys such as these, but rather use them as an opportunity to be your enterprise hero, by pointing out that in 2012, cybersecurity is no longer a zero-sum game.