Whistling in the Dark: how secure is your midsize enterprise business?
It is high noon. The one (and only) security analyst for a midsize business, needs to prepare for a PCI compliance audit. Meanwhile, a phishing email baits an account payable clerk at a regional office to access a malicious site and his workstation is infected with a financial Trojan. At closing that day, $500,000 from the corporate bank account had gone missing – on their way to an off shore account. It turns out, the office UTM appliance was last updated several months ago due to a configuration error. Alerts were issued, but there was simply no time and resources to notice them and take action.
This problem is the tip of the iceberg of the midmarket enterprise security challenge. It is a conflict of business needs, resources, budget and skills. Solving this conflict requires an examination of the delivery model of security, and the productivity it enables.
We all want certainty. And certainty (real or perceived) is achieved by having whatever it is that drives the desired outcome under our direct control – i.e “on premise”. In real life, though, we rely on many things that are outside our control. Power, water, internet connectivity are all examples of critical capabilities we outsource. if we run out of power we use generators or wait until the problem is fixed depending on the level of business continuity our organization requires.
Security is considered a critical business capability. Traditionally, an “on premise solution” was the way to go along with the “on premise resources” that were necessary to maintain it. In an era of increased competition and razor thin margins, IT is under pressure to streamline operations. And as streamlining goes, expecting an overloaded resource to pay attention to the most mundane operational details, is unrealistic. It may feel safe for a while, with no evidence to the contrary, until you run out of luck.
The “ownership” model for security must change – and it will change. The largest enterprises, the ones that can still throw resources at a sprawling on-premise infrastructure, will be the last ones to adapt the new model. The smaller organizations will have to make the leap sooner.
The new model should be based on shared infrastructure and resources, in exact same way utility companies built their shared power infrastructure, generation, distribution and control so we get very high service levels at affordable cost.
Here are some of the key elements of a new model that can address some of the shortcomings above.
Shared Security Infrastructure
Sharing security infrastructure across organizations (for example, through elastic Cloud services) ensures security capabilities and configuration are always up to date. This is a simple concept that eliminates the need for each organization to maintain every component of the distributed network security architecture that is prevalent today. The business assets we protect are naturally distributed, this is how we run the business, but the support infrastructure should support the business structure not impair it.
We are at inherent disadvantage against the hackers. They have the darknet and underground forums where they share tools, tactics and resources. Organizations are very restrictive in sharing security data and often don’t have the resources or the time to facilitate it. Restrictive sharing make little sense these days. There may have been a time when proprietary capability in IT security represented a competitive advantage. However, given the current nature of the threat landscape, no one is safe. What we truly need is pooling of our resources and data and getting the right set of skills applied to analyze it. In essence, our share security infrastructure should adapt to defend against the accumulated insight from all the traffic and security events across all organizations. This should create a formidable barrier against our adversaries that will drastically raise the cost of attack.
Finally, it all comes down to skilled personnel. There is a chronic shortage of experiences staff members, which is hitting the midmarket organization exceptionally hard. It is difficult to compete against larger enterprises in scope of work and compensation even without considering the scarcity of relevant skills. A possible way to address the skills gap is sharing them. This is not a new model, Managed Security Service Providers (MSSP) had been offering it for a while. But even MSSPs need the right platform to scale effectively so a managed service can be delivered in a cost-efficient manner, instead of just migrating the load from one place to the other.
Shared infrastructure, intelligence and skills. These are the three pillars that will make enterprise grade security possible and affordable for the midmarket enterprise.