Implementing IT security is not the same as being resilient
How well can you adapt to new vulnerabilities and threats?
WHEN one takes a look at the growing number of new IT attacks that are having a truly global impact, one can feel empathy for CIOs (chief information officers) whose responsibility it is to deal with them all.
New threats are constantly being discovered, such as the CCS injection exploit which exploits a vulnerability in the OpenSSL toolkit to acquire sensitive information; or the Gameover Zeus botnet and CryptoLocker malware which lock down machines, encrypt valuable data, and demand a ransom before releasing them.
These challenging scenarios are the result of several converged issues: Newly exposed vulnerabilities from bad coding practices or simply not upgrading your old operating system or browser; malware or virus infections; or attacks from hacktivists or nation-states.
READ ALSO: Data breaches continue to dominate threat landscape: Trend Micro
If there is one positive point to be learned from these vulnerabilities and attacks, it is that they serve as wake-up calls and have made all CIOs question whether or not they are indeed adequately prepared.
For those who thought they were, these threats can be seen as a real-life test – ‘a trial by fire’ so to speak, for your security organisation.
In the era of the ‘always-on’ business, it is not enough anymore that you have top-of-the-line IT security tools. Your security structure should not be implemented according to a compliance checklist.
The question CIOs need to ask themselves is “How well can my organisation adapt to new vulnerabilities and threats?”
Being secured against current threats does not mean you will be secure against the next one. Having implemented IT security is not the same as being resilient.
To prepare themselves for the future, organisations need to realise that new attacks will come, hardware will fail, software will have bugs and people will always make mistakes.
Organisations need to be run with that in mind. They need to be designed with failure in mind, and remain operational despite it – so that when something eventually happens, it won’t be a disaster recovery event, but a high-availability event.
However, CIOs know it is neither simple nor cheap to provide real resilience. A surprisingly large number of CIOs admit they feel overwhelmed by their task, where they should begin or how they can convince others in their organisation about the ongoing threats.
And without assistance, the road to catch up will be treacherous and expensive.
In the Accenture Technology Vision 2014, we introduce how taking a pragmatic approach can help phase in resilience over time while also staying in line with your organisation’s business risks and processes economics.
It describes how new technologies such as DevOps, performance monitoring and failure tracing, workload management, and software-defined networking (SDN) can improve resilience. And it discusses how a shift in one’s mindset can change one’s organisation into a digital business that is truly ‘always-on.’
Implementing these technologies or adopting such a mindset goes far beyond any current compliance framework. Nevertheless, some organisations are already leading the pack and have successfully implemented some of them.
In doing so, they have improved their competitiveness by reducing costs, while shortening deployment cycles, improving uptime and protecting against cyber-attacks.
Organisations such as Yammer and Facebook develop multiple updates simultaneously and deploy them in staged releases. This includes using quantifiable metrics and statistical modelling to determine if an update is ready to be rolled out to a broader spectrum of users – thus shortening deployment cycles and improving code quality.
Other companies such as Gilt (the flash sales site) and Eurovision’s annual Song Contest have implemented workload management tools and services that enable them to remain operational in the face of spiking sales traffic (when a flash sale goes live) or while being under the effects of a massive DDoS (Distributed Denial of Service) attack.
Other organisations embrace the new digital and resilient mindset to redesign their global IT infrastructure. Empowered by new tools, they have managed to consolidate multiple platforms to a single global unit and reduce the amount of applications.
Fewer applications mean fewer vulnerabilities and lower licensing costs. Combined with adopting a sourced IT staff model, they have strengthened the organisation while reducing their IT spending.
Both their IT infrastructure and security organisation are now scalable and ready when an incident of scale demands more than a normal situation would.
However positive these examples may seem, there are many more organisations that are moving at a slower pace to respond to the challenge. Finding the right solutions and partners can be a difficult first step to take, but is necessary for all organisations in the future.
The goal of true resilience is not only for industry leaders anymore, but is becoming a core concept within every digital organisation.
If there is one thing that’s certain, it is that the risk of sophisticated cyber-threats will only increase as organisations keep moving more and more of their activities to the digital space. Organisations must therefore architect resilience to be prepared for potential threats to help them respond quickly after an attack and ensure business continuity.
Sebastiaan Wahlers is a security consultant at Accenture.
Security is a process
Information security is about you … yes, you!
Security chiefs call for investments in ‘transformative’ technologies
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.