Terry Greer-King discusses why businesses need to find a balancing act between business enablement and protection as part of a visibility-driven and threat-centric approach to security
Agility is vital for businesses to develop their customer base, capitalize on new opportunities and, ultimately, maximize profits. There is a focus from the board on driving growth, stimulating demand, fostering customer loyalty and improving operational effectiveness – cutting costs without cutting value or leaving their organizations exposed to external upheaval. These approaches naturally demand a more open and collaborative organization, one in which the changing demography of the workplace is eager to engage with more digital natives and tech-savvy employees.
However, this environment inevitably increases exposure to threats. As a consequence, the conundrum facing CISOs today is how to empower people to perform at their best in an increasingly mobile and collaborative world while simultaneously protecting the organization from ever more sophisticated, organized and persistent cyber-threats. The reaction by many so far has been to build barriers and restrictions to put staff in lock-down. However, recent Cisco research found that an increasing number of employees feel security policies are inhibiting innovation and collaboration, and make it harder for them to do their job effectively.
The balancing act of business enablement and protection requires a fundamental shift in how we approach IT security. To be successful, businesses need security strategies and policies that enable, rather than constrain. As part of a visibility-driven and threat-centric approach, the change needs to take into account an IT-proficient workforce with the knowledge and wherewithal to bypass policies. One in 14 digital natives, for example, confesses to actively bypassing IT security policies when they feel the need.
"IT should no longer operate as a siloed function, but rather, as a core business process"
With this in mind, CISOs and IT managers need to feel empowered to start taking IT back into the business, forming their role as an enabler of agility and disruptive innovation. IT should no longer operate as a siloed function, but rather, as a core business process. There’s an entire universe of great tools that employees want to use to get their work done. Rather than acting as the nay-sayers, frustrating employees and increasing the likelihood of bypassing these rules, IT should look to adopt a more positive mantra in the role of the internal consultant – seeking to drive change and the best use of IT to be more productive. At the risk of being repetitive, this means embedding security into all operations across the business and making sure processes evolve to reflect the threat landscape.
Establishing more user-friendly policies is a start: policies that limit risk while allowing employees the freedom to perform without feeling caged. Organizations need to stop insulating employees from threats and educate them on the challenges they face. Cisco’s recent research identified different user behavior profiles that should form the basis for user-centric security strategies.
The ‘threat-aware’, for example, are well aware of security risks and try hard to stay safe online, yet despite being aware of corporate security policies are likely to use the network for personal transactions. Conversely, the ‘bored’ and ‘cynical’ believe security threats are overhyped, with the cost of security outweighing that of a breach.
By identifying different profiles of user behavior, specific approaches that limit the risk posed can be developed without impinging on employees’ freedom to perform.
To cover the entire attack continuum – before, during, and after an attack – today’s organizations need to address a broad range of attack vectors with a holistic approach and security solutions that operate everywhere a threat can manifest itself.
The only way forward is to build an organization that can survive and thrive amidst disorder: organizations that are agile and adaptable, able to cope with disruption and that can emerge stronger than before.
About the Author
Terry Greer-King is director of security for Cisco UK&I, having been at the forefront of the industry for the last 10 years. Terry regularly engages at senior level with CIOs, major partners, service providers and other key vendors in the IT security space, and is a spokesperson at both industry events and in the press. Prior to Cisco, Terry was managing director of Check Point Software’s UK operation.