A Q&A with Ron Temske, Vice President, Security Solutions, Logicalis US
It’s no secret that security is top of mind among IT professionals today. It seems that every day a new threat or breach is discovered, and as those security breaches become more prevalent and increased media attention fuels anxieties, commercial organizations and government agencies of all sizes are quickly realizing the importance of putting effective security policies, strategies and solutions in place. In corporate boardrooms nationwide, C-level executives, IT professionals and line-of-business managers are all talking about the security of their digital assets and how to prepare their organizations to minimize the damage from the inevitable breach that is to come.
Q: How can IT pros tell if their organizations are prepared for an attack on their companies’ digital assets?
A: They need to ask themselves some hard questions. Do they have an incident response plan in place? How would they know if they had been attacked? Before you can determine if you’re prepared, you have to take the time to assess your vulnerability, something which often requires the help of an outside security expert.
Q: What are some of the key things you look for when assessing an organization’s vulnerability to attack?
A: To help them align their security goals to be appropriate for the data and systems we’re protecting, we first look at what type of data the customer has as well as the value and sensitivity of that data. We need to know if they’re subject to any type of industry or governmental compliance regulations like PCI-DSS, HIPAA, SOX, GLBA, NERC, or FISMA. And we’ll want to know if they have a formal security risk management strategy in place and whether or not that strategy fully supports and integrates with their overall risk management policies for the business.
Q: Security is a complex topic with hundreds of products and technologies from dozens of vendors competing for customer mindshare. How can IT professionals – who may not be security experts – sort through this maze?
A: Cars are complex, too, but you don’t need to understand how the crank shaft works to drive the car. It’s similar with security. We can take care of building the solution. We just want to make sure we’ve asked all the right questions so we get the client into the right car. You want transportation – that’s what you’re trying to accomplish.
So the first thing security customers need to understand is, despite all the focus on technologies and products, security is ultimately all about risk management. We need to start with a thorough understanding of what assets they are trying to protect, what they are protecting them from – theft, destruction or compromise, and if they can answer it, who they are protecting those assets from. They also have to define what kind of damage the organization will sustain if the unthinkable happens, because it may – no security solution is impenetrable. Are they looking at loss of revenue or reputation? What about regulatory fines? When a customer is able to answer these questions, we’re ready to have a serious discussion about potential solutions that will meet both their business objectives and their budget. They don’t have to be experts in security to answer those questions. The starting point is an open discussion about risk management. Our ultimate objective is to help our clients protect their business, not confuse or overwhelm them with security buzzwords and technology.
Q: Then you’re ready to implement a solution?
A: No, not quite. You then have to determine what level of protection is appropriate for the different kinds of digital assets the client wants to protect. For example, there’s a big difference between securing patient records and a doctor’s vacation calendar, though both kinds of data may reside somewhere on the hospital’s network. It’s rarely a one-size-fits-all approach, and that’s where organizations make mistakes that cost them a lot of money unnecessarily. Security isn’t about finding a single solution that instantly protects an organization; there is no single perimeter protection anymore.
Q: Aren’t traditional firewall and anti-virus enough, particularly for organizations that are not primary targets?
A: No, and those are two of the biggest misconceptions people have. Everyone is a target. As malicious actors work to gather Social Security numbers for identity theft or encrypt systems for ransom, even a small business can become a target for cybercrime. And with regard to firewalls, it’s important to remember that anything that comes into the network beyond the firewall not only gains unfettered access to your data, but it also becomes increasingly hard to detect, track and eradicate. For example, imagine a well-meaning employee who brings in a USB key and plugs it into his or her desktop or laptop at work. Let’s say the USB key carries advanced polymorphic malware. Once it’s plugged into the system, that malware is in – and it’s behind the firewall and undetectable by antivirus.
Q: So, at what point does protection become most critical?
A: There isn’t a single point; you have to be prepared throughout the entire attack continuum – before, during and after an attack – to secure your digital assets and, when a breach does occur, to repair any damage done in as expedient a manner as possible.
Q: Should CIOs be worried?
A: Cybercrime is big business and everyone is at risk. But, with that said, we don’t think capitalizing on people’s fears is the right approach. We want to reduce those fears, take the complexity out of the process and take a business-centric approach to creating a solid security strategy that meets our clients’ needs and budgets. And it’s important to talk about budget because a lot of people over-pay by buying what they think are one-size-fits-all security solutions. Truth be told, there is no such thing. There is no silver bullet that will provide protection across your entire infrastructure. Hackers go around those solutions. There may be scores of security applications and devices across IT environments, but that hasn’t stopped them either – hackers find the cracks and sneak through the spaces in between. The only effective approach is an architectural approach that is manageable, adaptable, resilient and responsive. But that doesn’t have to break the bank. As one of our security team experts likes to say, ‘No one should buy a $1,000 safe to protect a $100 bill.”
Q: If an organization knows its needs a better security strategy, where would you advise the CIO to start?
A: With a cyber risk and vulnerability assessment. They need to talk with a security expert that can help them identify and classify their unique security vulnerabilities. In fact, even organizations that think their security is iron-clad should do this periodically. Some regulatory bodies will even insist on this kind of third-party validation.
Q: After they’ve gone through the exercise of identifying potential vulnerabilities and they have a well-thought-out security strategy in place, who manages that?
A: That’s a really good question. Many organizations naturally assume since they have a skilled IT staff that they can turn over the management of the security solution to them once it’s up and running. And, in some cases, that may be the best option. But when managing the continuous swarm of alerts and identified threats overwhelms an IT department, they may need expert outside help. At Logicalis, for example, we offer a managed security service to help companies respond to alerts more effectively by taking over the monitoring of threat activity and acting as a first responder to determine whether or not a threat really exists before turning it over to the client’s internal IT team. The nice thing about managed security is that it operates around the clock, 365 days a year, in 13 countries worldwide. Trying to duplicate that in house may not be economically feasible, so it’s definitely something enterprise CIOs should ask about.
Q: Do you have a final thought for the people reading this post?
A: First and foremost, spend the time to understand and document the risk to your business. When you can articulate the assets you need to protect and have at least some idea of the value of those assets, you’re in a much better place to begin a security conversation. While there are clearly some basics that every business needs, understanding your organization’s unique risk profile is the key to establishing a comprehensive security strategy. Ask yourself one simple question: “If you knew you were going to be breached tomorrow, what would you do differently today?” – then, do something about it. Take the first step. Inaction is what leaves you most vulnerable. You know the old adage “failing to plan is planning to fail”? Well, it holds true here. Hope is not a strategy when it comes to security.
Want to learn more? Your organization may not have been breached yet, but it will be; find out what you can do about it, then explore three essential steps that can help identify, thwart and prevent data loss as well as five ways IT pros can assess their data’s vulnerability in the cloud. You can also read more about the importance of securing your network as well as the physical security of your data center premises, then plan for business continuity by focusing on these secrets to protecting digital assets: http://ow.ly/10mLqA.