Johannesburg, 27 Sep 2018
The chief role of IT is to securely build and deliver reliable, consistent, timely and cost-effective services to the business, at the speed required by the business. The question, then, is if this is IT's role, what is its strategy for securely delivering these services?
The answer to this, says Michael Mychalczuk, director of product management at Micro Focus, is to develop and implement a defensive posture that provides enough protection to offensively manage your exposure time to risk, by enabling both rapid detection and sufficient reaction.
"The first mission of any security strategy should be to establish sufficient 'protection time'; this is the effective amount of protection time provided from a threat, and it is absolutely critical, because it is protection time that buys the organisation sufficient time to detect and respond to any threat exposure," he says.
"Therefore, it goes without saying that your protection time must be greater than your exposure time, which is the total time associated with both the detection of, and the reaction to, a given threat, in order to sufficiently mitigate it."
Mychalczuk explains that developing such a security strategy requires utilising a series of security tactics. These are the progressive steps taken within a situation to advance the strategy. In order to develop and implement a proper strategy, then an enterprise will require a range of tactical elements in the form of point products and tools.
"These tactical elements could consist of some or all of the following: application security, data security, identity governance and management, access management, privilege management, security operations and analytics and machine learning. The security tactics an organisation implements are critical, because using the wrong tactics for your strategy will ultimately leave you vulnerable," he says.
Pointing out that the recent Verizon Data Breach report indicates 81% of the security incidents investigated involved the use of weak or stolen passwords, he says this is a clear indication that identity needs to become a determining factor in security.
"If you think about it, the concept of identity powers everything related to security in the first place. If there is a breach, we seek out who did it as the first step. With access certification, it is again all about who has access. Even when discussing provisioning, the core of this is about getting people into and out of the access they need, so again, it boils down to the issue of who. Therefore, identity should be the central factor related to your security decision-making."
One of the biggest problems from a security perspective, continues Mychalczuk, is that too often, we fundamentally accept the wrong level of identity assurance to properly combat today's threats. It is clear that in the modern world, passwords and/or PINs are no longer enough. We should instead utilise a multi-factor approach to validating identity for anything reasonably important. This could involve everything from passwords to biometric recognition, fingerprint, facial and voice, to one-time PINs.
"The key to developing a successful risk strategy is to understand the importance of identity, but also to recognise the inescapable fact that you cannot eliminate risk, you can only try to manage it effectively. This is why it is so crucial to get your security tactics right, by implementing the right tools to help improve identity assurance, along with strong identity management and governance programmes.
"By focusing on identity as a means of ensuring you implement the correct security tactics, you should put yourself in a position where you improve your organisation's protection time. This, in turn, will give your IT team more time to effectively detect and respond to the threats the enterprise is exposed to, allowing it to fulfil its mandate of securely and cost-effectively delivering the services the business relies on," he concludes.
Share