Geoff Webb (Global) - Security and the Boiling Frog

Geoff Webb discusses the risks of not adapting to change when it comes to IT security.

There's an old folk tale about boiling frogs: Drop a frog in boiling water and it will jump right out. Gradually turn up the temperature, though, and it will sit there, unwilling to leave what it thought was safe water, until it's doomed.

Usually this metaphor is used in business to describe how gradual change is necessary in order for it to be accepted - implement changes too rapidly and they are far more likely to be met with resistance, go slow and people have time to adjust. However, when it comes to the business of IT security - and what the next couple of years entail for security, in particular - the analogy can be just as applicable - and the end result a lot less benign.

Change is happening. Fundamental change fueled by the drive towards cloud services, BYOD, social media and identity, and the constant drum beat of "Collaborate! Share! Open!" For security teams trying to respond to these changes, just like the frog in the story, the water is most definitely getting hotter and hotter.

And yet many organizations are either unwilling or unable to adapt their security thinking to this new world; a world in which so much of the IT infrastructure, and the way it is used, is out of the direct control of the IT organization.

Despite every indication of impending disaster - despite breach after breach, vulnerability after vulnerability, the continued spread of advanced persistent threats - the security posture for many organizations has not advanced much beyond what it has been for the past decade.

Security professionals are well aware of where this is headed - they know only too well that at some point the environment will move from simply difficult to downright dangerous. As we look forward to 2013, it's clear that we cannot continue to operate as if this status quo is ok. We can't be the frog nor can we let the business act like one.

As many organizations accelerate their adoption of trends like cloud computing and BYOD, there is a closing window of opportunity for the security organization to take control of the situation and drive an understanding of the long-term challenges of these changes. At the same time, security thinking has to evolve to reflect the fact that, with so much of the infrastructure beyond the control of the IT organization, there are still critical elements that can be managed - and it is there that efforts must be applied.

One approach that will help drive risk reduction is to focus on a more data-centric approach to security programs. That is, to evaluate where critical data is stored, and to focus resources and efforts on protecting the data. This is a natural progression of the last few years' efforts to move away from perimeter-first security in which the bulk of effort is expended in trying to keep the bad guys out. Insider threats, especially when they come from a third-party provider such as a cloud service partner, are incredibly difficult to protect against, and in a cloud-enabled enterprise, the concept of "outside" is simply meaningless.

So the trend towards data-centric thinking - to focus on the data that is at risk and not the infrastructure around it - makes even more sense than ever.

Also helping the security team address the growing complexity of risks will be security tools that provide far more "intelligence" than ever before. These tools must deliver higher quality, actionable intelligence to security professionals, in a way that helps them more rapidly understand the risk implications of what they are seeing as they monitor changes, activity and user behavior. Central to this is the idea of providing increasingly meaningful context to events - not just showing the security team what happened, but helping them more fully understand who was involved, how what they are seeing is different from normal, and what it might actually mean to the critical data they are protecting through the lens of organizational risk.

These are not simple solutions, and they require the business to enable the security teams to make these changes and to be a partner in the accelerating changes that are redefining business IT.

All that said, the security teams better move fast to adapt their programs to a world in which so much is beyond their direct control. What they face today is highly complex and often difficult to understand, and the future promises more of the same; because the heat is getting turned up, and sooner or later, sitting still is going to result in a lot of boiled frogs.

By Geoff Webb, Director of Solution Strategy, NetIQ