Modernising your security strategy
W By Peter Tran General Manager and Senior Director of RSA Security’s Worldwide Advanced Cyber Defence Practice RSA
hile cloud, mobile and the Internet of Things (IoT) present undeniable efficiencies and opportunities in the business world, the reality is that they also add a multitude of cybersecurity complexity and potential exposure. In 2016, over 260 billion apps were downloaded over the Internet across approximately 7.5 billion mobile devices communicating in an interdependent web with cloud based platforms and services. This is referred to as the Internet’s “Third Platform” and is where innovating your information security strategy is imperative. Many organisations are finding the increased efficiency gained from new technologies is paramount to remain competitive in today’s “Third Platform”, as these technologies are foundational to many critical key business and operational innovations. The number of devices, identities, and cross-functional systems across hybrid cloud, on-premise, public/private infrastructures, mobile platforms and shared business IT services is skyrocketing. To date, there are over 22 billion connected IoT devices on the World Wide Web with a projected growth to over 50 billion by 2020. This is predominately driven by an increased adoption of cloud collaboration infrastructures, mobile workforce, sales and operations teams as well as an expanding number of global trusted partner networks and privileged external/ third party users. The explosion in the number of devices, identities, and shared systems isn’t just transforming business but is changing critical cyber security requirements directly related to the sheer scale, speed and complexity by which organisations, both public and private, are migrating legacy system to the “Third Platform”. While modern organisations are capitalising on cloud, mobile and IoT, they are also expanding their attack surface— and with it, new “hacker hot spots” are left in the wake of IT technology expansion, which leaves a fertile ground for nation state hackers and cyber criminals to exploit.. The worldwide cybersecurity spend for 2016 topped US$74 billion according to research analyst firm, IDC with projected spend to reach over US$102 billion by 2020. Despite this level of spending, we have seen over 2,000
80 | Australian Cyber Security Magazine
data breaches, 700 million personal records stolen with an average financial loss of US$3.5M per incident. That said, the most shocking statistic is that on average, organisations were aware they had been hacked less than 30 percent of the time. Another way to look at it is that with today’s aging security capabilities, hackers have a 70 percent chance of breaching an organisation’s network undetected. It’s a reality check now, and time is not on our side, for organisations to face the hard facts. Traditional security measures no longer stack up against the advanced cyber risk that organisations face today. They are ineffective because they are built around the belief that attacks can be prevented based on conventional perimeterbased designs. The rapid transformation to the “Third Platform” coupled with new attack techniques and tactics are driving a call to action for strategies to be put in place to manage attacks based on business context and operational risk or “business driven security”. Traditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that have already been put in place within legacy on-premise infrastructures. Business initiatives were and in many instances are still developed without considering the cyber risk exposure associated with them. In fact, many organisations have not even gone through the exercise to determine what their cyber risks are. Simply put, the right hand doesn’t know what the left hand is doing. The widening gap between business context and cyber risks is where breach exposure exists. The gaps in traditional security strategies become wider with the proliferation of cloud, mobile and IoT, as well as a surge in third party workforces within organisations, all adding to business complexity and risk. If businesses want to modernise their security operations, technology investments alone is insufficient. Security innovation and transformation begins with a balanced strategy between IT architecture, infrastructure, technology, process, automation, data analytics, effective workforce management, compliance and governance. Cloud technologies provide enterprises with on-demand