December 30, 2015|
5 Ways to Adapt Your Security Strategy for 2016
It’s often said that the primary difference between a good strategy and a poor one is how well it’s executed. But what’s critical is that great execution is only possible when that strategy is clearly defined, broadly communicated, and practically implementable. Put another way, a good strategy allows for creativity and flexibility around how execution happens.
Your security strategy is no exception. In the past we’ve discussed how even your board members are paying close attention to cybersecurity. However, our challenge is to make good on their promises – and we need to make some fundamental changes happen fast. In that spirit, I offer a simple set of strategic initiatives that can be communicated across an organization, aligned with business goals, and ultimately provide for creativity and flexibility in implementation. Ready? Let’s start with:
- Identify your most valuable digital assets (data and applications)
Even in the midst of a rapidly changing landscape, at least one old adage still holds true: you will see the best returns by prioritizing and focusing security investments on your most valuable assets. This is true whether your valuables are physical or digital. But today, the challenge of managing digital assets is driven by their velocity and scale.
The rapid proliferation of new data types and the adoption of new collaboration tools means that there are now many more ways to lose control over confidential business information, whether it’s in the form of confidential files, personal data (PII, PHI), or internal communications. When the scale and speed of business makes it no longer feasible to keep information locked down behind a firewall, your company must focus more on control: carefully monitoring who has access to files, managing permissions and access, and revoking access instantly if necessary. But just as important as control is usability: you cannot effectively protect data without balancing accessibility, transparency, and utility.
The way to address this is to shift your security focus to directly protect the data and applications that drive your business. These specific digital assets are together the most valuable and the most distributed in any organization, and your mandate is to identify, track, and control them as efficiently as possible.
- Shift focus away from the perimeter
This second recommendation is a corollary to the first. As more and more organizations – and particularly highly regulated ones – adopt cloud services for their core business processes, they need to move away from legacy security models focused on locking down the perimeter. Instead, security teams must embrace new models that secure data and applications directly. By moving to a model where the assets are protected in use, on any device, security and IT teams will not only be better equipped to prioritize which data needs protecting, but they’ll get better control, visibility, and monitoring along the way.
These two trends are combining to drive a sweeping interest in what I’ve been calling ‘Modern IRM.’ By moving your strategic focus down to the data itself, and making the fundamental assumption that your files will travel, you start making different decisions about how to protect it, even when it’s in use outside of your organization. It’s a more user-centric approach, as well – you can gain the trust and buy-in of your end users with more flexible tools that allow them to work on their terms, and in exchange, you can protect more of your organization’s critical assets.
- Adapt your approach for a complex (and unpredictable) threat landscape
Over the last 18 months, we’ve seen many new kinds of attacks emerge, from sophisticated advanced persistent threats to nation state-driven, all-out assaults on private organizations. And, as we get more sophisticated ourselves in more secure software development and deployment models, we’re finding old vulnerabilities we hadn’t seen before. It’s a very complex landscape to navigate, existing in stark opposition to the idea that simplicity improves security. Truly, unpredictability has become the most effective technique in most attackers’ toolboxes.
More simply put, we can predict that the nature of the threats we face will change, and rapidly, but we can’t yet say how. But, by sharing information about attacks and vulnerabilities openly and unselfishly, and by shifting our focus to securing information directly, we can all be better prepared when the game changes. For you, this means taking what you’ve learned about your current environment, your pressing priorities, and putting plans in place that can weather any storm.
- Involve peers, vendors, and domain experts to update your policies
I don’t think anyone would be surprised if the conversation about balancing privacy, digital security, and national security not only continues, but intensifies over time. For me, I hope the debate evolves beyond the current fear-based conversation into something more nuanced. The way to tackle the problem is to proactively involve security innovators, private and public sector organizations, and individual consumers in the conversation, with the goal of rapidly identifying new solutions and strategies.
There are now many valuable resources for teams looking to adapt to the pending changes in European privacy law, and we still have yet to see what will come of the recent changes in Chinese encryption law. One of my favorite voices on this subject is Phil Lee, at Field Fisher. His blog is an excellent resource on the changes, their potential impact, and rational strategy choices your organization can make in response.
- Seek out innovative partners who thrive on collaboration
Finally, I believe that we will see more fluid collaboration between security innovators to full solutions to market – not just point solutions, but a full suite of capabilities to address these very real challenges. To me, this signals a much more mature technology market, and it means that while there will still be some overlap, vendors will have to work together, though business and API-driven relationships, to really thrive. And, as 2016 progresses, we’ll start seeing some very compelling integrations and partnerships emerge that can drive this very exciting market forward.
At Vera, we’re excited to see how these trends play out, and to play a key role in helping our customers and partners overcome these challenges. And, I’d love to get a broader conversation started – please feel free to contact us @VeraSecurity, or reach out directly @grantshirk and share your thoughts.