Steve Cox, Chief Technology Officer at TSG explores the growing paranoia around IT Security and explains why this should be viewed as a business issue, not a technology issue.
The dictionary definition of ‘paranoia’ – a thought process believed to be heavily influenced by anxiety or fear, often to the point of irrationality and delusion.
And probably a good starting point for any conversation about IT security.
That’s not to belittle or not take the subject seriously. We certainly do at TSG. Very seriously.
Security is fundamentally critical to the integrity of any system or solution and the value that it creates for your business, your people and your customers.
Our concern is that the ‘propaganda’ (is that too strong a term – maybe not?) surrounding IT security must never deflect us from making well considered, strategic and, most importantly, rational decisions about the steps required to protect systems, people and data. (We’ll come back to data, or more specifically ‘big data’ later.)
It’s a phrase that we keep repeating, and will continue to repeat, but ‘the pace of change in technology is increasing’ and the way we work has transformed massively in the last couple of years.
What’s most significant about these most recent changes is the implication that they blow conventional wisdom around security clean out of the water. Or rather they could do.
But again, that doesn’t mean that we should panic or throw away the key principles that still apply to IT security. It’s certainly not the time to throw the baby out with the bathwater.
Paranoia occasionally leads to drink! But now isn’t the time to ‘bring your own bottle’ although it is increasingly ‘BYOD’ – that’s ‘bring your own device’ – that’s creating security challenges.
The last couple of years have witnessed an explosion of devices; tablets, smart phones, iPhones, etc.
Many people now use multiple devices to manage their work and social lives. And this is a significant element, albeit not the only element, of the challenge.
These devices are mobile, data is stored locally and the divide between work and personal is becoming increasingly blurred in the world of social media.
Their use is often not (in fact, virtually never!) linked to strategy; they’ve just arrived, so the result is that many businesses are infested with inherently insecure devices (no, that’s certainly not too strong a term). And insufficient, if any, consideration has been given to what’s acceptable use of company data.
We’re certainly not suggesting that you ban all devices or consign them to the bin. There’s no doubting their considerable value in improving efficiencies, accommodating flexible approaches to working and capturing valuable data. However, it’s imperative that they are included in an holistic and strategic approach to IT security and broader data policies.
Unfortunately, devices are just the starting point. More significantly, and potentially far more confusing, the proliferation of mobile devices often leads directly to the Cloud. (Don’t pass go. And definitely don’t collect £200!).
Cloud is a subject that we could rant on about for hours. And it’s probably better if we just refer you to our commentary document ‘Head in the Clouds, Feet on the Ground’ – it’ll provide you with a concise overview of our thoughts on how to get the most from this new technology platform.
In brief, cloud is an overused and oversold term. Not even the industry really knows what it is. And out of context it actually means very little.
As ever, when there’s drama and confusion, there’s been a bit of a gold rush. Perhaps the phrase should really be ‘where there’s bulls**t, there’s brass!
There’s a risk that it could become another dot.com or a Y2K – an opportunity for a few to make a quick buck at the expense of the uninformed.
Thankfully, the big difference now is that there are people around with decades of experience and a clear head, who can help you navigate your way around the issues, challenges and solutions.
Sadly, with lots of people offering lots of ‘must-have’ services, not all advice is equal.
Something else to consider (that I suspect many won’t have even thought of) is that it’s imperative to understand who you’re buying services from.
There’s a huge amount of white-labelling and that means you may be some distance removed from the real provider and your seller may have limited, if any, control over the services that they’re brokering.
As the market develops, there’s a significant amount of private equity money swilling around, probably on the basis that there are swift and impressive returns to be made as consolidation takes place.
And with consolidation comes change. So, your provider of choice in a competitive environment may suddenly become one and the same with a company that you were desperate to steer clear of. And your contractual terms could make it complicated and frustrating to migrate to your preferred alternative.
The risk of getting ripped off or stuck down a blind alley is almost as great as the potential security risks to your system that you’re trying to prevent in the first place.
So the question is how do you de-risk the process of de-risking?
The simple answer is to find a partner you can trust. A partner who has already done the research, can invest the time it takes to keep pace, can cut through the jargon, and has developed and applied solutions for countless of your peers.
Another key issue, and one that drives us on a daily basis at TSG, is that nothing exists in a vacuum. Not one single element of your IT system exists in isolation. Or if it does then it’s probably redundant or valueless.
Whether you realise or not, the world of IT systems, large and small, inevitably requires integration.
The performance of one part of your system is inextricably linked with numerous others, so if you simply try to bolt on a security solution the chances are it won’t work (how often have you experienced the frustration of installing software on your home PC to only to be stalled by compatibility issues. If you haven’t, you’re either lucky or have never tried!).
The great news, if you’re actually a bit of technophobe, is that IT security is not really a technology issue. It’s a business issue.
A trusted partner should work with you to understand how security issues could impact within the context of your business operation. They’ll worry about the technology that sits behind the solution while you get on and run your business. So no more paranoia.
There’s a possibility, albeit unlikely, that you may not need to do anything different.
In simple terms. Change.
The nature of security threats is evolving, so what provided a secure platform and protection yesterday may not work today.
And if your business practices and processes haven’t changed then perhaps it’s time you tapped into the huge competitive advantages that can be gained from applying new techniques and technologies. (Something else we’d be happy to discuss with you!)
A very basic example of evolution – and forgive us if this appears too simplistic – is the practice of protecting the perimeter. At one time, in most businesses, the perimeter was fairly easy to define – even though the alarmingly primitive 3.5 inch floppy disc represented a potentially significant security breach.
Today, the boundary of almost any IT system is an infinitely variable shape and size and as a result is almost impossible to protect.
What that means is that we need to think again and think differently about the security solution. What it doesn’t mean is that we need to overcomplicate the solution.
Simple solutions are usually both elegant and effective. And simplification is a word that you’re like to hear again and again over the coming months, particularly in relation to the imminent arrival of Windows8 (a conversation for another day, but a conversation we’d certainly like to have).
The challenge? If it’s not a contradiction, achieving simplicity is not simple.
Which is probably a good time to return to the subject of ‘big data’.
Whilst experts consider data measured in petabytes as the starting point for Big Data, volume is arguably not the best indicator.
For those businesses with relatively modest volumes of data the other two of the ‘three Vs’ are more significant. They area: velocity and variety.
Velocity is about the rate of change in the data and how quickly it must be used to create real value.
Variety refers to the many different data and file types that need to be managed and analysed including sound and movie files, images, documents, geo-location data, web logs, and text strings.
The link with security? These files types are traditionally associated with the potential spread of security threats. And capturing and sharing these types of data has become far more widespread thanks to the increase in the number of mobile devices.
Not only is big data, by its very nature, often captured remotely, it can also be accessed on laptops, mobiles and tablets, in airport lounges, taxis, cafes,……take a guess at how many devices are lost or left behind each year and I suspect that you’d need to multiply it considerably to reach the actual number.
So it’s not only the digital threat from malicious files that’s a major problem. It’s the negligence, ignorance or plain stupidity of those who don’t appreciate the value of the data that’s in their trusted possession.
On another level, even those huge enterprises that have been dealing with big data for years are encountering problems as they use analytical tools that now appear to be inherently insecure. Unfortunately, security wasn’t built in from the outset and they’re discovering that attempting to bolt on security as an afterthought just isn’t effective.
The lesson? If at all possible, security should be built into a system from the ground up.
One final thought on security is that it’s very similar to insurance.
In spite of the threats and risks, hopefully you’ll never need to claim and hopefully you’ll never have an IT security breach.
Unfortunately, you’ve got little or no option other than to pay the insurance premiums or the combination of consultancy fees and software licences that will keep your systems protected.
Sadly, we’re all too well aware of the mis-selling that’s pervaded the insurance marketplace.
So find and work with a trusted partner. And avoid the paranoia!