This action might not be possible to undo. Are you sure you want to continue?
3, issue of
The journal of high-performance business
How secure are your information systems?
By Alastair MacWillson
As IT systems become more functionally rich, open and dynamic and the information they contain grows in size and value, many companies are rethinking their security strategies to balance the threats and opportunities inherent in new technologies.
In mid-2012, coordinated attacks on 60 banks around the world netted an estimated $80 million for the hackers. An automated, malicious software program initiated thousands of attempted thefts from bank accounts that, if successful, could have potentially captured $2.5 billion. Stuxnet cyber attacks begun in 2010 were among the first attempts to use malware to spy on and sabotage industrial systems, in this case reportedly devastating part of Iran’s uranium enrichment infrastructure. The sophisticated “military” malware is unlike anything security experts have ever seen. In 2012, Jonathan Evans, the director general of the UK security agency MI5, warned that Western countries and companies are being targeted by cyber espionage activity on an “industrial scale.” Headline-grabbing stories like these seem calculated to send chills through the CIO’s office. While sensational, they do underscore how tough the job of securing a company’s information has become. However, Accenture believes the IT security challenge can also become a significant opportunity, enabling companies to integrate their security and business strategies in ways that create enormous value. In the competitive frenzy that characterizes global business today, security concerns often take a backseat to new ways of doing business. That’s a problem, because research shows that the value of corporate and government information lost in 2008 alone topped $1 trillion. A single disgruntled employee who leaked plans for an upcoming product, for example, cost his company an estimated $1 billion in lost sales and new R&D costs.
security boundaries and principles are becoming increasingly blurred and elastic. For example, employees today routinely access their organization’s systems and data via unsecure public WiFi hotspots, check corporate email from personal devices, surf socialnetworking websites on their work laptops, or increasingly do their work using a whole range of personal devices and software. All of these seemingly innocent activities can expose companies to potentially serious attacks. At the same time, information itself is becoming a huge new asset and an increasingly rich and valuable target. While “big data” (huge repositories of consumer and other data from which companies extract value using powerful analytics) shows tremendous promise, a significant portion of the information companies collect is potentially “toxic”—credit card numbers, personal identification and health information, sensitive intellectual property, or other custodial data that companies hold but do not own—and could cause serious damage to customers and to the business if attacked. What’s more, attackers themselves are becoming increasingly agile and professional in their attempts to compromise company systems. The Stuxnet malware attack, for instance, was just one of a number of cyber attacks on industrial process control systems, currently considered the Achilles’ heel of enterprise security. Used in everything from manufacturing and refining plants to utilities and oil and gas pipelines, these systems often lie beyond an IT department’s purview. Typically managed by the engineering side of the business, they are often more vulnerable to attack. In the face of these challenges, companies are struggling to strike a new balance between access and risk—one that matches the accelerating whirlwind of innovative technologies with an agile, risk-aware security approach that’s attuned to business necessities.
As the pace of technology innovation continues to accelerate, once-clear
Cyber situational awareness
Among leading companies, IT security aligns fully with business strategy. These companies strive for something Accenture calls cyber situational awareness, which occurs when organizations establish an integrated set of mutually reinforcing, security-focused capabilities and resources. Most important, these organizations attempt to create a clear, coherent and complete picture of the strategies and actions that tie events and systems to business processes and business impact, giving leaders the most complete decision-making tool picture possible.
Surveillance • Administrative management • Information management • Risk mitigation • Public data Security operation center
Community intelligence Downloadable rule set • Enhanced capabilities Attribution • Order of battle • Courses of action • Response modeling and simulation • Network auditing • Malware databases •
• Vulnerability scan • Networking profiling • Incident management
• Penetration analysis
Security information and event management Governance, risk and compliance • Log management • Firewalls • Identity/access • IDS/IPS management • Anti-virus services • Incident management • Vendor management • Threat management
Cyber situational awareness
Remote management •
Threat analysis center Malware analysis • Attack simulator/cyber range • Cyber forensics • Threat modeling • Data forensics Data collection • Data logging • Data searching •
• Policy and compliance management
Source: Accenture analysis
While companies have invested heavily for years in increasingly sophisticated IT security systems, they have not always gained the flexibility they need to adapt to changing technology and business trends. A confluence of significant technological advances is making many formerly secure systems increasingly unsecure, transforming IT from a relatively stable environment into a more volatile one. If not addressed, these changes can introduce unforeseen vulnerabilities and significantly reduce the effectiveness of an organization’s security systems. Among the most important mixedblessing advances:
capabilities make them serious enterprise tools. However, security challenges include the practice of allowing employees to use their company phones for a mix of social and business tasks, a lack of rigor when separating corporate and personal data, and concerns about the integrity of some smartphone apps. Smartphones use a variety of channels (including voice, texting, email and social media) that allow them to operate seamlessly with other devices. As a result, the damage done by a single compromised handset can spread to smartphone users and the entire enterprise itself, providing hackers with a treasure trove of information useful for more sophisticated social network attacks. Likewise, tablets are used to access sensitive corporate data but often allow
Mobile ubiquity. The corporate adoption of smartphones has been a technology phenomenon, and their power and
users to do so without the stronger controls laptop computers employ. As a result, while most organizations have strong authentication processes like complex password rules for accessing emails and enterprise systems, they frequently allow tablet users to log on using simple, easily breakable four-digit personal ID numbers.
Cloud-based services currently float outside of many security and privacy standards, which can be at least a decade old.
Hardware/software virtualization. The virtualization of hardware and software can generate cost savings by enabling companies to consolidate servers, reduce power consumption and cut data-center space requirements. It can also do all of those things for elements of a company’s security infrastructure. For instance, virtualization allows companies to “freeze” and “thaw” servers and desktops automatically when vulnerabilities become evident. It can make security solutions even more powerful, and increase security adoption rates due to the massive cost savings it promises. Virtualization does raise significant security issues, however, and protecting virtual territory is proving more difficult than originally thought. In a cloud environment, for example, virtualization enables companies to create and then take down collections of specialized virtual machines, which means that large numbers of machines periodically appear on networks, and then disappear. As a consequence, IT staffers have no enduring picture of the overall IT architecture, and if malware infects the network, no clear way to fix the problem since they lack an accurate inventory of machines on the network. Cloud computing. Cloud is another technology trend that provides real agility and cost-control business benefits. However, cloud-based services currently float outside of many security and privacy standards, which can be at least a decade old and fail to address issues such as virtualization and shared tenancy.
The cloud presents other challenges as well. For example, a cloud provider might outsource specialized tasks to third parties, and these links—if unsecure—can influence the entire cloud’s security level. Other cloud practices such as multi-tenancy and resource sharing can, in extreme cases, introduce “class breaks”— the failure of the mechanism that separates storage, memor y and routing. This can open the door to data theft, service disruptions or the invalidation of assurance levels for both the cloud provider and its clients. Big data. The growing exploitation of big data promises to unlock new value streams inherent in company customer information. However, attempts to monetize big data by using it to power online recommendation algorithms and other predictive analytics puts information into play the same way virtualization has made hardware and software dynamic, increasing the overall security threat. What’s more, big data is often stored in one place, making it a huge prize for attackers. Collaboration. The growing popularity and commercial usefulness of social networking and other collaborative channels is causing the risks inherent in these very public forums to multiply. As a consequence, some organizations concerned about industrial espionage prohibit their employees from using collaborative networks at all. Our research reveals that many companies aren’t prepared for these technology innovations and the implications they have for the organization’s established security posture. As a result, firms can fall behind when it comes to protecting IT infrastructure and data. Many rigidly follow regulations that encourage them to adopt a compliance-focused mindset and are thus unable to deal with change.
Accenture research has identified a relatively small group of companies that excel at information security. In the past year, almost half (49 percent) of these security leaders experienced only one serious attack, compared with 15 percent of all other companies. Only 9 percent of leaders had more than five serious attacks, compared with 32 percent of all other companies.
Leaders Other companies
Only one serious attack
Source: Accenture analysis
Two to three serious attacks
Four to five serious attacks
More than five serious attacks
For example, cloud services are at times at odds with regulations. Take Germany, where strict controls prevent the transfer of personal data across borders, blocking companies from using the cloud for specific applications. Such fixed, static approaches to security can be difficult to adapt to new business and technology challenges. What’s more, as security strategies evolve, they tend to become more complex, which can rob companies of the essential clarity and agility they need to be effective. Experience shows that few organizations have a clear, up-to-date picture of their environment from a security perspective. They lack information about the number of physical servers— not to mention virtual ones—they have, and they don’t have a clear view of the third-party data or application providers coupled into their business processes. When they do have this information, they often treat it more
as an annual audit exercise than as a key component of a continually updated security picture. Company security strategies also often fail to keep up with fast-paced business and technology innovations. Adopting a traditional Maginot Line-like fortress mentality, firms typically design all IT systems with (hopefully) foolproof architectures and lock everything behind a firewall. Such an approach no longer works in a wide-open Internet-enabled and cloud-served environment—both data and users now exist beyond the fortress walls. New threats require companies to know when and how to increase their security skills, but this goal can run counter to other security trends. For example, as some companies automate their security capabilities, they are allowing staff expertise to erode. CIOs need to realize that automation isn’t a panacea. Organi-
For further reading
“Embracing the consumer IT revolution— at work,” Outlook 2012, No. 2: http://www.accenture.com/us-en/ outlook/Pages/outlook-journal-2012embracing-consumer-informationtechnology-revolution-at-work.aspx For more related content, please visit www.accenture.com.
zations that extensively automate or outsource security processes can lose the internal skills they need to react to even newer threats. Given the complex, multifaceted nature of today’s IT security challenge, it’s no surprise that many companies struggle with security. Accenture research shows that while the number of firms that get security right is relatively small, some companies do excel in this area. The ability to avoid serious attacks is perhaps the most important mark of outstanding security capabilities. Our research shows that nearly half of the security leaders we identified experienced only one serious attack in the past year—something only 15 percent of all other companies accomplished. At the other end of the spectrum, far fewer leaders had more than five serious attacks compared with other firms. What follow are some of the characteristics that make security leaders special. Cyber situational awareness. Among leaders, security is part of the company’s DNA and aligns fully with its business strategy. These companies strive for something we call “cyber situational awareness,” which occurs when organizations establish an integrated set of mutually reinforcing, securityfocused capabilities and resources (see chart, page 3). Most important, these organizations attempt to create a clear, coherent and complete picture of the strategies and actions that tie events and systems to business processes and business impact, giving leaders a critical decisionmaking tool. And by tying security events and controls to business outcomes, the chief information security officer (CISO) has a clear line back to the value the business is producing. The company is thus focused on effectively managing the
risk environment that allows the business to flourish rather than concentrating strictly on compliance at the expense of strategically securing business growth, value and innovation. Virtual security. Security leaders embrace the introduction of new technologies and have good architects to deal with their security challenges. In general, securing a cloud or virtual environment requires organizations to move their security and management functions—the traditional activities of firewalling, virus scanning and backup—beyond traditional operating systems and physical connections. Security mechanisms need to inhabit the virtualization space itself, effectively shifting security into the shell of the virtual machine. Information security leaders assume a proactive stance regarding data security. They underpin progress in introducing agile IT solutions such as cloud computing with dynamic and agile new approaches to security that mesh well with data protection laws and regulations. Context-aware controls. Leading companies also increasingly use sophisticated analytics to monitor relevant activities in real time and identify threats. An important element of this approach involves the development of “context-aware” controls. Context awareness allows security teams to sort quickly through potential threats to find the ones that apply to the company. They make a complete profile of all of the types of devices connected to the network—including virtual machines—and closely monitor network behavior for changes in connections and information flows that could signal system compromises. Context awareness can also mean analyzing patterns of normal user behavior and exploiting them to detect anomalies, flagging issues such as stolen credentials, compromised machines or malicious insiders.
Security leaders keep track of the company’s entire portfolio of operating systems and actively document system vulnerabilities across multiple resources. This puts a premium on timeliness and an appetite for managing change. They also watch applications, services and protocols closely to identify unauthorized applications and unsecure or unneeded services. A data-centered security model. Most critically, they adopt a “datacentered” security model. This enables them to identify and locate sensitive data, know how people are using it, see where it’s going (for example, to which devices, networks, IP addresses and recipients) and ultimately decide how and when they should employ the most effective control actions. Some organizations are introducing Mobile Device Management (MDM) software that enables personal devices to access business applications and data with less risk of data loss or compromise. New capabilities are also emerging to provide access control and information protection to the big data analytical repositories organizations use to mine valuable insights on their customers and their operations. Technologies and skills. Leaders put robust policies and processes in place to protect data in this new environment, and recognize that security technology is only part of the solution. That’s why they also focus on raising the skill levels of their security teams to counter threats, and act to raise awareness among users regarding their personal security responsibilities.
of managing risk and compliance issues, they should focus on the business value that security can bring to the table. Why? Beyond the obvious business benefits, today no existing standards fully address the security issues surrounding the cloud and other emerging technologies. Organizations should embrace security as part of the fabric of the business in order to secure both infrastructure and data. Our research reveals that one consequence of this mindset is that the business units of high-performing IT leaders work much more closely with their security organizations. The biggest challenge is perhaps psychological—the persistent belief that there’s an IT security system out there that cannot be breached. There isn’t one—and the prevalent fortress mentality needs to change to a simplified, practical and agile approach. In our experience, the best security systems are created pragmatically, reflecting the oftenunique circumstances of individual organizations. As such, there is no single “best way” to achieve effective security—the best protection almost always evolves organically, and the best way to ensure success usually begins with a strong top management commitment to achieving enterprisewide security.
Outlook is published by Accenture. The views and opinions in this article should not be viewed as professional advice with respect to your business.
The use herein of trademarks that may be owned by others is not an assertion of ownership of such trademarks by Accenture nor intended to imply an association between Accenture and the lawful owners of such trademarks.
For more information about Accenture, please visit www.accenture.com
About the author
Alastair MacWillson leads the Accenture security group. He is based in London. firstname.lastname@example.org
Copyright © 2012 Accenture All rights reserved. Accenture, its logo and High Performance Delivered are trademarks of Accenture.
To deal with the new challenges businesses have placed on IT and to deliver the agility and performance benefits companies expect from the introduction of new technologies, many organizations need to shift their security emphasis. Instead
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.