IT Security 2011: Risk Interlinked

Security7 minutes readJan 27th, 2011

It should probably come as no surprise to you that I think the #1 security concern in 2011 is around the proliferation of mobile devices. That, to me, is going to be the ongoing concern for organizations around the world this year.

That said, we cannot address the security of mobile devices in a vacuum. There are four interlinked security challenges that are facing IT departments in 2011. You need to address all four in order to address the whole:

  1. Risk Intelligence
  2. Social Media and Social Networking
  3. Mobile Devices Proliferation
  4. Cloud Computing

Each requires a careful and strategic response, because they all have an impact on the success of the business beyond security. Let’s look at each of these risk factors for 2011.

Risk Intelligence

We often talk about security in a very tactical way. What we don’t talk about very often, though, is risk. The fact is, “risk” is more aligned to the business than “security.” Security is certainly a tactical element that has to be addressed. But security should be aligned to meet risk management objectives which are, in turn, aligned to business objectives.

Risk intelligence is the key that helps you get there. It’s a process used to concentrate and analyze the data silos that exist across an organization. We can make better decisions about risk given the aggregation, correlation, visualization, and decision-making capability of those disparate data sets.

Consider fraud and fraud prevention at financial or insurance institutions. Those institutions are attempting to deal with a rising tide of fraud with data that reside in multiple silos. Unless those organizations aggregate and analyze this information, the executives and analysts can’t make sound decisions about risk.

Technology in and of itself is not going to solve the problem. We have to have an understanding of what we’re trying to achieve and how we’re trying to achieve it. Only then can we start to create a more effective risk management strategy that includes what technology we need to deploy, and what types of policies and procedures — including those that deal with mobile devices — we need to have in place.

Social Media and Social Networking

The proliferation of social media and social networking presents interesting risk challenges. Because we are social beings, even in our work lives, people naturally want to use social media. They want to share thoughts, images, articles, videos, and links. They want to talk to family and friends. They want to network with colleagues, customers, and partners. And they want to do this on a global scale.

The problem arises when people start talking about their work or their company, because this activity can potentially reveal sensitive information — intellectual property, trade secrets, or stuff that’s just plain embarrassing and potentially damaging from a public relations perspective. These things might seem innocuous when posted, and might well be posted without any animosity or agenda whatsoever.

But outsiders can compile these apparently innocent posts into a single view, and can suddenly connect the dots. It’s entirely possible that a competitor, investor, employee, or adversary can paint a picture of what an organization is doing — facilities being planned, prospects being visited, positions being filled, details of a new strategic initiative, revelation of a struggling product or group, and so on. The truth is out there.

How do you manage this as a company? Do you tell employees they can’t use Facebook, Twitter, or LinkedIn? It’s certainly possible to have a restrictive policy on social networks, but doing so is often at odds with corporate social media initiatives — not to mention the demands of workers, customers, and partners. Managers are increasingly asking their people to become involved in social networks, so as to capitalize on the improved customer service, communication, collaboration, and productivity benefits offered by these services.

All in? Or off limits? For 2011, the answer will most likely be something in between. Companies have to strike a balance between encouraging and urging caution in the use of social media. And this gets back to my comments about risk intelligence. We can’t make security-related decisions about social media and social networking without first understanding the risks, weighing the benefits, and seeing how social media aligns with our business goals.

Mobile Devices Proliferation

Mobile devices, particularly smartphones and tablets, are proliferating. The mobile tablet computer is emblematic of the trend. This time last year there were exactly zero mobile tablets from major brands on the market. Last week IDC reported there are 17 million mobile tablets in the field (mostly iPads), and projected that another 45 million could be sold this year.

Zero to 62 million in about 18 months. Add to that the smartphone adoption juggernaut — one in four people now have a smartphone, for a total of 61 million — and that’s what I call proliferation. Despite this unprecedented adoption velocity, what I don’t see yet from the U.S. marketplace is a real concern about the risk profile of these mobile devices.

Certainly there is lots of talk about mobile device security, but there has been little action in addressing the actual risks here in the U.S. Meanwhile, the use case for mobile devices continues to evolve. Just this month, Starbucks started accepting payment at checkout via smartphones, with the capability being rolled out to 7,800 stores. This sets the stage for what analysts say will be a $633 billion mobile payments market, with 490 million users, by 2014.

Frankly, it’s the beginning of the end of the plastic credit card. Yet U.S. smartphones lack the embedded security technology that’s routinely used to secure credit card and banking transactions in Europe and Asia. No matter what the mobile platform, brand, or operating system, it will be up to IT organizations to collect the risk intelligence, and develop clearly defined methodologies and policy to deal with the challenges — all without limiting their organizations’ ability to capitalize on the benefits of mobile devices.

Cloud Computing

To me, cloud computing is where all these issues — risk intelligence, social media, social networking, and mobile proliferation — become interconnected.

Organizations are incorporating cloud computing into their IT infrastructure to reduce cost and boost agility. But considering a move to the cloud, whether public or private, raises a host of questions about how, where, and when data are going to be protected. Unisys addresses those questions with technology focused on making the cloud secure.

As one example, Unisys’s Stealth solution has the ability to take network packets, separate them, and encrypt them simultaneously, preventing any unauthorized persons from capturing data on the wire and reassembling it. Data are separated and encrypted at one end, then reassembled and unencrypted at the other end, resulting in continuous protection.

Effective and secure use of the cloud requires a clear understanding of the business objectives, knowledge of the data types flowing across (and perhaps outside of) your network, and definition and implementation of policies for end users. We want to align our use of cloud computing to business objectives, with the goal of securing information when and where appropriate, and without allowing security to become a inhibitor to productivity.

Once again, it all comes back to — indeed, starts with — risk intelligence. IT no longer has the luxury of sitting in an ivory tower, so to speak, dictating the devices and applications and governing the pace of technological change in their organizations. The competitive landscape is changing too fast. IT has to be able to rapidly assess technologies and provide services (including security) to new devices, social media and networks, and the cloud.

Humans tend to suffer from something called cognitive dissonance. We avoid dealing with problems that challenge our assumptions about how the world works until the problem is staring us in the face. The result is a reactive approach to risk. We started screening people for shoe bombs only after someone attempted to detonate a shoe bomb on a flight.

We need to evolve from talking about security to having a better understanding and management of risks. Only then can we align security more tactically, from technology procedures and policies to effecting a better approach to managing chaos. That’s the imperative for 2011, because the crooks and criminals and malware developers won’t wait for us to get our policies and procedures in place.

Tags-   Business objectives Cloud computing Collaboration Credit cards Customer service Data encryption Facebook Fraud Fraud prevention iPad LinkedIn Malware Mobile devices Productivity Risk Risk management Smartphones Social media Social networks Starbucks Stealth Tablets Twitter