How enterprise IT security conversations have changed
Deutsche Telecom is one of the world’s largest telecom companies, and its corporate IT and cyber security arm T-Systems is one of the largest European IT services companies. Among its customers are big corporations such as Volkswagen, Daimler, Phillips, Airbus, and BP.
It stands to reason that Scott Cairns, Head of the Cyber Security Team at T-Systems, is therefore able to offer valuable insight into the cybersecurity trends regarding global and complex systems such as those created by those companies.
For example: As his focus is on clients and prospects, he noticed that the conversation with them has definitely evolved.
Security conversations have changed
It used to be that security was an afterthought, and the first item to be cut to save costs. But things are different now, as organizations see first-hand the impact of inadequate security measures. They are now willing to explore a comprehensive approach to securing their organization, and allocate budget specifically for implementing of a wide-ranging security strategy. Also, the conversation has evolved from purely focusing on preventative measures to a holistic approach incorporating detection and response.
“This certainly presents some interesting challenges, as although organizations can be described as residing in a particular industry vertical, most companies have different ways of working, and particular nuances in their operational processes,” he tells me.
“Each conversation is therefore different, and whilst the services and solutions being discussed are the same, how they are implemented within each organization requires an appropriate tailored strategy.”
In order to keep on top of things as the security landscape keeps changing, he is now “living and breathing security on a daily basis.” That means his days are filled with reviewing the latest service offerings from their security labs, and reading and absorbing many of information feeds on security topics from across the Internet.
“This is actually more an interest than a challenge, as there are incredible innovative start-ups operating within the security industry, and topics like machine learning and narrow AI are becoming more pervasive in a sector that needs all the help it can get, particularly amidst the skills shortage we now find ourselves facing,” he says.
He believes that some of the most inspirational and innovative solutions are being created by small agile organisations. “These are the cutting edge security providers to watch, and we often look to embrace these companies as part of our extended portfolio.”
On security awareness and shadow IT
Cairns is deeply passionate about the need of security awareness education and training in an increasingly digitally interconnected society.
It is in both the employers’ and employees’ interest to seek out cyber-education, to better prepare themselves for what we face now, and may face tomorrow, he notes.
“From an employer perspective, educating employees on cyber security during only the onboarding process, or anything less than (minimum) every six months, is a neglection of duty,” he opines.
“The pace of change within the security sector demands a more formalised and intensive approach to education on the topic. The introduction of the new GDPR in May 2018 will bring with it crippling financial penalties for companies not able to demonstrate all measures were taken to avoid a breach – surely this should include education of our employees on both the threats and consequences facing our businesses. Yes, cyber-education is ultimately rewarding, but it needs to be driven from the very top, affirming its importance within corporate culture.”
Another part of giving employees what they need to keep working efficiently AND securely is to provide them with adequate tools so they aren’t tempted into using insecure ones they find on their own.
Cairns finds that most employees turn for more helpful tool not because they put convenience above security, but because they want to be as productive they can be and perform their job to the best of their ability.
Historically, to curtail this behaviour, organizations locked down desktops, applied rules to firewalls, and made it as difficult as possible for employees to go outside of process. But the problem now is that in the age of Software as a Service (SaaS), combined with the proliferation of smart devices, it is becoming more difficult to ensure all the holes are plugged.
“Much of this activity stems from the digitally accelerated world in which we now work, and the increased pace and demand placed upon our employees to contribute to the bottom line. Sometimes the tools provided by the employer to achieve this level of productivity are not adequate for the task, leading employees to deviate from acceptable policy to get the work done,” he says.
“The pragmatic approach to ensure the integrity of corporate information is to apply security protocols, whilst also acknowledging shortcomings in current tooling, and determine where new services can be employed to increase productivity. If services are delivered successfully, employees will no longer look outside of process for the tools they need to perform their job.”
Embracing IoT technologies securely
Organizations worldwide are keen to leverage the benefits purported to be achievable through the implementation of IoT technologies. Chief amongst these is the promise of an abundance of data to mine for information that will provide tangible business insights.
But, amidst the rush to integrate IoT sensor technologies, many businesses are blind to the risks introduced by this effective extension to the corporate network.
“There have been many cases in the consumer space where CCTV cameras, thermostats, and other devices have been shown to have little or no security, thereby exposing home networks to potential attacks. Whilst some argue this is consumer networks, it should be remembered that in our digital world, more employees are working from home. A vulnerability on the home network could equal a problem for the corporate network,” Cairns stresses.
But if organizations are dead-set on integrating IoT technologies within their networks, they need to ensure the sensors and devices employed deliver a solid level of security.
That means that they have to verify that the sensors conform to basic security protocols, encrypting data both at rest in the sensor and during transmission to the cloud. In the event of a sensor being compromised, this will provide a level of data security that could be the difference between a simple lost sensor, and a breach subject to GDPR legislation and penalties.
Selecting trusted partners and providers for provision of IoT devices is also hugely important.
“There is the temptation to seek out the newer, smaller, agile organisations to provide this technology in order to take market advantage. And whilst this can bring technological benefits not delivered by the larger providers, it introduces a larger risk factor. Have these sensors been engineered to include a high degree of security? Is there a roadmap and process for updating the sensors should vulnerabilities be identified? Will the small company be around in a year?” he points out.
“As a responsible organisation looking to embrace IoT technologies, these are all valid questions to ask when deciding on partners for provision of devices, and without specific regulation and governance of sensor production and deployment, many of these IoT devices fall short on comprehensive security measures, exposing corporate and home networks to potential attacks.”