Have you heard the tale of the blind men and the elephant? The story goes that a group of blind men try to describe what an elephant is like. Each one feels a different part of the animal such as the trunk or the ear but when it comes to comparing notes they are in complete disagreement, each having only a part of the full picture. Organisations that try to tackle security in isolation are like the blind men – they are trying to implement solutions that fix an element without ever taking a complete view of the problem.
I've spent the past 12 months writing about the need for organisations to change their approach to cyber security to get them to think beyond the prevention phase of the cyber-attack lifecycle. As the IT security industry gets swept up in the latest GDPR-driven hype cycle, I've lost count of the number of products, services and vendors that promise to 'solve' GDPR. So many of these solutions fail to address the fundamental issue which is that most organisations cannot tell you where their data is, who has access to it, who has made changes to it or what controls they have to protect it.
In my opinion, without an understanding of data location, content, context and access, organisations will continue to fail to implement effective security policies even as IT security spending increases every year. User's digital lives now exist in more places than ever. Gone are the days that all applications resided on local devices and files on shared drives. Productivity tools have grown exponentially and so has the spread of the data residing in those platforms - SaaS, PaaS, IaaS, SAN, NAS, Object, Local Disk, USB, DVD, Cloud, MultiCloud and even transmission of data faster than light. We're not only blind men trying to describe an elephant but a whole collection of different animals.
At the same time, our approach to security hasn't developed at nearly the same rate as an industry and we are still using the same approaches to try and stop a breach in isolation. As we move to outsourced, shared or co-location datacentres not owned by the organisation we must learn to live without seeing the physical security controls, flashing lights and other safety blankets of old and instead build controls that suit each environment.
Operational risk is inherent in any organisation and it is something we need to become more comfortable with, however, very few organisations truly understand their risk and even fewer have any methods of limiting it. In this series, we'll explore this distributed world we find ourselves in, look at ways that organisations can reduce their exposure to the risk of a cyber security breach and, once reduced to the lowest level reasonably possible, refocus on what really matters: delivering the best experience and tools for our users.
This series will focus on some core techniques which we will come back to in later posts, including:
I am lucky to be joined by a team of Softcat specialists who will be looking at specific customer challenges for example, the Internet of Things (or otherwise known as 'a million more devices on my network'), the sliding scale of hybrid cloud (aka. Help! My data has left my building), and first-hand insights with organisations that have gone through a breach (and lived to tell the tale).
If you're interested in looking at any of these areas simply speak to your Softcat account manager or contact us using the form below.
We'd also like to know what you, our readers, would like to hear about so please drop us a note on our Twitter and LinkedIn channels or get in touch using the form below.
We would love to hear any comments you have about this article!