Siloed approach to security increases risk
The channel must look at the bigger picture if it is to help businesses under threat to defend themselves, warns Tony Lock
A quick glance at the happenings of the past few years will bear witness to the rapid rate of change in IT and how businesses today use computer systems in almost every area of their operations. Yet seemingly mundane matters, especially IT security, continue to be managed haphazardly in many organisations or are, effectively, swept under the carpet.
Why is IT security as a whole still a mass of fragments that take incredible patience and effort to get working in a unified manner?
Indeed, from a systems or quasi-architectural point of view, little in security appears to have changed significantly in the past decade or more. While individual security products evolve rapidly, fewer offerings look to combine a range of products or offerings into simple packages that end customers could buy more easily.
Security products are still mostly sold discretely. That is true for everything from basic malware protection and firewalls to data loss systems and encryption, or intrusion detection, behaviour monitoring and forensic analysis. Plus everything in between.
Some vendors have begun to bundle up suites that integrate security offerings. Mostly these represent only a small subset of the bemusing array of protection available. Yet organisations need to defend themselves against an increasingly sophisticated range of threats.
The potential consequences, too, are varied. Costs may increase, and more time might be required when performing routine management tasks. And the most dangerous consequence is the potential for increased exposure to business risk. Security holes could remain open, since relying on multiple offerings that overlap may also magnify the vulnerability of the business, in part by not fully addressing the challenges presented in any unified way.
But this is not just about the vendors. Enterprises are equally at fault. Most large organisations buy IT security as separate components, with different departments responsible for separate stacks in the security picture. This is the case even in companies where there is a security department that has been given a specific role to oversee the big picture.
And in many enterprises it is likely that IT staff are left to make decisions that should be taken by line-of-business managers, or better yet by business and IT working together.
The problem is that many organisations remain distinctly reluctant for business managers to get involved in IT security, as they do not want to take responsibility.
The way budgets work, IT staff often end up having to decide on their security solutions piecemeal.
Little planning or finance is arranged to consider the big picture; how the intricate web of IT systems fit together and how the entire stack needs to be secured. Much of the way IT security is funded is a direct consequence of IT not understanding the ever-changing nature of the threats to which the organisation is exposed and IT staff not being able to adequately explain the problems to be addressed.
As more systems become integrated, often by direct connections, it is becoming ever harder for stressed IT staff to see how things link together. So it is also becoming ever harder to work out the security implications, especially when IT is being chased to make decisions. There is then little scope to manage the change processes in a secure way.
Throw into the mix senior business managers seeking to use a seemingly ever-expanding portfolio of devices, be they tablets, slates, or smartphones, and the security challenges escalate day by day - or at least year by year. And some of these devices may not even be procured or managed directly by the enterprise.
If no one has the time or the inclination to consider the big picture, and if IT vendors appear happy to continue selling siloed IT security systems with little integration between discrete stacks, partners may be the only way for organisations to get a better handle on overall IT security.
Start by teaching both business managers and IT staff how to identify and quantify security risks. Educate end users about why IT security matters. Without such understanding - as history shows - users will seek to sidestep or ignore security measures. This is especially true if they think something slows them down or gets in their way.
This is no easy task. However, it is clear that many IT systems are much less secure than is required. There are plenty of opportunities for partners to sell product, but they should also communicate the risks and benefits of comprehensive offerings, not just individual product features and capabilities.
Tony Lock is programme director at Freeform Dynamics