Cloud computing has impacted IT in many ways, including (not the least of which) security. One decade ago, in a less “cloudy” world, an enterprise would either manage IT itself or delegate much of it to a large consulting or IT services firm. Either way, one or two persons (the CIO and/or
outsourcing firm’s lead) would take charge of security, which typically involved setting up barriers to internal resources.
Today, as technology has permeated all levels of organizations, IT security management has become more distributed. According to a study of 1,800 business decision-makers discussed in NTT Security’s
2018 Risk:Value report, ultimate responsibility for managing an organization’s day-to-day security could fall on any number of shoulders. The CIO remains the leading candidate, with 22 percent of respondents saying the buck stops there. But 20 percent point to the CEO; 19 percent to the CISO; and 15 percent to the IT director. And with nearly anyone now able to spin up a virtual machine (VM) or open a SaaS account, it does seem as though “
we are all CISOs now,” as I’ve written elsewhere.
Not only is leadership fragmented internally, but ownership of security has also been extended externally to a large number of third-party IT partners. And along the way, security practices have changed. For many services, workflows now involve both public and private cloud infrastructures. With the rise of hybrid and other cloud models, along with Wi-Fi and mobility in general, the old perimeter-based approach simply doesn’t cover the current landscape of bases.
Reclaim Ownership of Security
Security in the traditional enterprise was not necessarily better, but it was simpler. Risks today are complex and proliferating. Threats may emerge from your
software supply chain, or the latest hacking trend, such as
crypto-mining malware. And the stakes are high.
The average global cost of remediating a
software supply chain breach is $1.1 million. According to the Risk:Value report, the average global cost of recovering from any data breach is $1.5 million. And penalties for failing to comply with new privacy regulations are growing. Damages to customer and brand confidence from breaches can be significant, far-reaching and long-lasting.
Those costs are good reasons to reclaim ownership of security. While it is possible to overstate the changes (some practices such as user access, data protection, documentation, etc., remain constant), we live in a time when threat mitigation involves much more than upgrading a network firewall. In today’s multi-sourced and cloud-infused IT arena, enterprises need to assume control of their overall risk and governance framework.
5 Ways to Make Sources More Secure
Regaining control may require exercising some relatively unused muscles. As my colleagues at NTT Security note in a white paper titled “
Managing the risk of IT Multi-Sourcing,” the tendency is for organizations to focus on a provider’s service level agreements (SLAs) and capabilities. But if you’re involved in sourcing IT services, don’t be afraid to collaborate with security leaders and experts, probe your suppliers and build security into your contracts. Here are five steps that NTT Security recommends:
- Assess risk: The first way to get traction with security is to conduct a risk assessment of all your IT service providers. The goal is to identify, and fix, vulnerabilities. Especially in light of mandates such as the General Data Protection Regulation (GDPR) or related Identity and Access Management (IAM) controls, some areas may need more immediate attention than others. And as indicated, some measures may be mandated by law rather than choice.
- Build trust: Once you have identified partners that may be high risk, begin to take steps to embed security within those engagements. Or look for less risky alternatives. Going forward, considerations around cybersecurity should be a key part of making any purchase decision and/or establishing and maintaining trust.
- Establish visibility: As they say, there’s no management without metrics, and no metrics without visibility. Maintain the right to audit your provider’s services. This could include monitoring IAM controls, network and endpoint activity or log analysis. Assuming that your suppliers are properly certified, include compliance requirements within the scope of audit and controls.
- Prepare for incidents: Data breaches of some kind are likely, if not inevitable. This puts a premium on setting up incident response plans as part of ongoing business continuity practices. Be sure to test them. These plans won’t prevent incidents, but can minimize potential fallout, including negative publicity.
- Be ready to walk: An outsourcing relationship is unbalanced if you are not prepared to terminate it. This is not just a matter for the sourcing and legal teams. Security leaders also need to be engaged and aware of termination procedures, including the return of information or assets, confidentiality, handing over services to other vendors, etc.
Execute the Strategy
There is no going back to the pre-cloud world of doing everything yourself, or using a single IT consulting firm. But one smart way to standardize cybersecurity policies and provide an intermediary between you and your many suppliers is to partner with a Managed Security Services Provider (MSSP).
Regardless of your security approach, take the time and effort to embed security within your contracts and then make sure to follow through and execute the terms.