Over the past few months, I've heard many CISOs say their jobs are increasing in difficulty due to the rapid adoption of consumer technologies by the business, such as social, video, mobile and cloud.
These technologies present new risks, but because their value is so compelling from a business productivity standpoint, CISOs no longer have the veto power to keep them out. This is the groundswell movement, depicted in Forrester Research's new book, Empowered. And there's no question that this movement is only going to accelerate. In fact, a recent Forrester survey reveals nearly 40% of information workers across different organizations use some form of self-provisioned technologies. What's more, one in four companies are already using some form of cloud computing and half of enterprises (1,000 employees or more as defined by Forrester) already support at least two mobile platforms.
With such a fast pace for technology adoption, security and risk become top issues. I'm hearing questions such as: "How do we keep our information safe with the rapid adoption of these technologies?" and "How do we deal with risks associated with social, mobile and cloud technologies?" IT security's challenge is to find a way to tackle the different types of technologies entering the organization, manage the ensuing risks, and ultimately help shape the future of the company.
A hidden benefit is this movement presents the opportunity to reinvent corporate security strategy. Think about this: Corporate data is going into the cloud, mobile devices are edging out traditional PCs, and social technologies are enabling ad hoc collaborations anytime, from anywhere. The status quo approach simply won't cut it. If there ever was a time to rethink existing security models, it's now.
In order to help develop a new operating model for the business and become a fulcrum for innovation that acts as a partner and advocate to the business, security leaders should examine their security architecture to be sure it suits the "empowered" environment. For example, a data-centric security model should advocate that instead of relying solely on infrastructure security, protection should go with the data. Additionally, threat mitigation should live within applications, since modern threats concentrate almost exclusively on the application layer. This strategy would place substantial value on secure software, data-aware application controls, and threat mitigation techniques built directly within the application. A third factor should include systems that are agile and attack-tolerant. The important idea here is that the system does not relinquish control, or keel over in the event of a security breach; these newer models will need an attack-tolerant platform as a foundation to build systems that can withstand future threats.
Redesigning a security architecture based on these principles represents an opportunity to not only mitigate risks, but also usher in fundamental changes to governance, process and architecture that will make the environment safer for enterprise computing.
In order to work with the business and mitigate these impending risks, Forrester has established specific enterprise security best practices for security and risk professionals to implement:
- Initiate or participate in a central governing task force. An ideal composition of the task force includes security, enterprise architecture, legal and compliance, HR and representatives from major business functions.
- Help establish a standard for adoption. The goal of the task force is to establish a set of adoption standards. This should include technology platforms, risk tolerance levels and conditions for adoption. For instance, in the case of cloud outsourcing, the task force's job could be to define a cloud security checklist that enables the business to evaluate the security maturity and enterprise readiness of a cloud provider. The task force is not meant to be on the critical path of adoption. Rather, its job is to create a set of standards and risk assessment tools that the business can use to make adoption decisions.
- Define a set of acceptable use policies or guidance. Start with the standard employee code of conduct, but develop specific stipulations to govern the use of new technologies, such as social media and mobile devices. Approach these stipulations based on specific risks with each new technology platform. For instance, knowing how to respond to negative comments online is unique to social media communications.
- Work with your internal communications/marketing group to educate employees. It's important for CISOs to communicate the adoption standards and the acceptable use policies to the employee base. The most effective channel is the existing internal communications/marketing department. If the organization doesn't have such a distinct corporate function, work with HR or the employee training function.
- Determine enforcement strategy and implement technologies. It might be necessary to advise the task force whether (or not) to exert management oversight through technological means. If the organization decides on oversight, the CISO must identify the technologies and implement them as necessary. Before choosing specific technologies, it's imperative to determine what should be monitored/managed, who will be doing the monitoring, and any enforcement actions.
Of course, groundswell technologies (social, cloud, video, mobile) bring unique risks. It's IT security's job to help the business understand what these risks are, and how to mitigate them. Remember, just as businesses evolve to better serve their customers, IT security needs to evolve to better serve their business. This doesn't mean blindly saying yes, but rather it means aligning strategies with business needs, without compromising security requirements. Security and risk professionals can do this by trusting the business. The role here should be one of verification, not enforcement.
About the author:
Chenxi Wang is Vice President and Principal Analyst at Forrester Research, serving security and risk professionals. She is a leading expert on content security, application security, and vulnerability management.
This was first published in April 2011