The debate: What are the challenges facing the information security industry?
31 May 2015
A panel of experts debate the biggest challenges in information security today.
Director, product marketing, (cloud security), Akamai
Online availability is the lifeblood of many organisations today, so it’s easy to forget that the internet is inherently insecure. Underinvestment in IT security, growing political and commercial incentives and accessibility to sophisticated attack toolsets has left many enterprises vulnerable to the explosion in online crime.
Cyber-espionage, for example, is on the rise, as typified by recent activities from the DD4BC group. Their Distributed Denial-of-Service (DDoS) campaigns threaten to render particular websites inaccessible, unless a payment (anonymised via bitcoin) is made. In the absence of a highly scalable security solution, victims often pay, knowing that further downtime could result in huge online revenue losses and brand damage.
Akamai’s 2015 Q1 State Of The Internet Security report quantified these trends, stating that the number of DDoS attacks across its network, which carries 15-30 per cent of all web traffic, more than doubled since Q1 2014. With the average cost of a successful cyber-attack now exceeding £1m, it’s easy to understand why online business continuity has made it to the boardroom.
CEO and founder, CipherCloud
With the typical enterprise consuming 1,100 cloud applications, cloud is the killer app for security. By enabling the convenience of the “anywhere, anytime” revolution, cloud is projected to become a $106billion market by 2016. But the accelerated productivity and go-to-market benefits introduce additional risks to the enterprise.
Expanding the corporate perimeters exponentially increases vulnerable entry points for surveillance, breaches and other attacks. Snowden, Target and Sony all reflect the ubiquitous threats facing sensitive data in the dispersed network of the cloud. These risks also demonstrate the intermingling of security with privacy, residency and compliance. Security has become a boardroom issue because inadequate protection tools create a chain reaction of breaches to these other elements.
The most immediate remedy is innovation in the layer between the cloud and the enterprise. As Gartner recently noted, the cloud security access broker (CASB) space is the fastest growing security segment. Expect more developments from CipherCloud and other leaders in this space at the upcoming InfoSecurity Europe.
CEO, First Base Technologies LLP
Today, the most innovative security professionals are looking for new security practices that add real value to the business. However, sometimes it’s possible to take a new concept and turn it into a truly ground-breaking idea that directly addresses a major security challenge.
Recently a client engaged us to conduct a red team exercise – a process that involves completely reimagining traditional security testing into a simulated criminal attack under controlled conditions. This advanced concept mimics the real-world targeted attacks that businesses face on a daily basis, and delivers the true business impact of a breach.
What was truly innovative in this case? Our client took the results of the exercise and created an engaging, story-based presentation and delivered it to all levels of the business worldwide. The result was an awareness campaign that staff talked about with enthusiasm and recommended to their peers, strengthening the organisation’s security in that most vulnerable area – the human firewall.
+44 (0)1273 454525
Senior technology evangelist, Thycotic
From limited budgets, to lack of organisational support, to the ever-expanding nature of where critical data is stored, security organisations have more challenges now than ever. Attackers have more tools and methods with which to launch attacks and compromise systems, which makes it increasingly important for security teams to find cost-effective, efficient, easy-to-use solutions that can automate and bolster the layers of defence to prevent such attacks.
Even from a non-technological standpoint, security teams are often fighting against the internal culture of their organisation, which views security as “hard” or “too much of an obstacle”. These types of challenges can be even harder to overcome, but are no less critical to the success of any security programme. Without support from leadership and buy-in from admins and end-users, no amount of change, process or toolsets you implement will ultimately be successful in protecting critical data and securing the organisation.
+44 (0)20 3608 4323
VP of research and development/CTO, Tripwire
Most companies evaluate cyber security risks using the same risk/reward calculations used for other business risks. In addition, competitive pressures to deploy cost-effective busi¬ness technologies can affect resource investment calculations for cyber security investments.
These competing business pressures mean that conscientious and comprehensive oversight of cyber security risk at the board level is essential. However, it can be very difficult for technology executives to accurately convey the rapidly changing shape of cyber security risks to non-technical executives and board members. It’s also very challenging to tie security to business initiatives and the metrics needed to standardise the evaluation of cyber-security risk are still emerging.
The good news is that substantive conversations about effective management of cyber security risks are beginning to happen at all levels of the organisation. These conversations are a critical opportunity for the security industry; we need to deliver information that will help build executive cyber security literacy so they can better cyber security risk management decisions.
International product marketing director, Dell Network Security
Organisations are spending more than ever on IT security, both to comply with internal and regulatory requirements and to protect their data from cyber-threats. Yet each year, high-profile data breaches continue to fill the headlines, sabotaging the reputations, relationships, and revenue of the businesses that are victimised. It’s clear that global cyber-crime is alive and well, and will only continue to be pervasive as long as organisations delay taking the necessary defense measures to stop threats from slipping through the cracks.
Dell Security’s 2014 Threat Report saw a 109 per cent increase in the volume of HTTPS web connections in 2014. Managing thre ats against encrypted web traffic is complicated. Just as encryption can protect sensitive financial or personal information on the web, it unfortunately can also be used by hackers to inject malware.
Tel: +44 (0)1932 579 321
Vice president of global marketing, Absolute Software
One of the main challenges organisations face is how to protect a rapidly growing database of information on mobile devices. Not long ago, business-critical and sensitive corporate data was protected behind the walls of a robust data centre. Today with the growth of mobile deployment, this dynamic has changed drastically. Most employees have the ability to access sensitive information directly from their mobile devices and we often see that the security infrastructure of an enterprise becomes far less effective and secure as it reaches endpoints.
Not only do we need to be concerned with the event of the breach itself, but the financial implications of noncompliance with regulatory bodies can and has proven to be incredibly costly. Organisations need to implement a layered approach to security in order to address the wide range of sophisticated attack vectors that we commonly see.
Executive VP, global sales Resolution1Security
There is too much industry focus on the network, and not on endpoints. The industry has gravitated towards developing network security products because TCP/IP (first developed in 1975) hasn’t changed in years and there is a false belief that if you watch the front door, you’ll catch every attacker since they have to traverse the threshold.
Unfortunately, that’s not true. With so much innovation around Bring Your Own Device (BYOD), tablets, smartphones, VPN, and so on, workers are becoming much more mobile. A laptop that is on the network and protected by multiple layers of network security at work is then virtually naked when it leaves the protect shell of the enterprise.
What most of the industry has failed to notice is that the data lives on the endpoint and it’s constantly going on and off network, which really extends the “attackable surface” by which threats can get in. There needs to be much more focus on endpoints, and less on network.