Archive for October, 2017

The new gold mine: security

Tuesday, October 24th, 2017

When I hear some of the CISOs, self styled experts, analysts, vendors and so forth talking about the importance of security – often in combination with cool buzzwords such as “end to end”, “automation”, “analytics” (ok, that is old; how about “machine learning” and “artificial intelligence”? yeah, much cooler), I often remember the old joke about teenagers and well, sex. It’s “something” everyone talks about it, everyone thinks it must be fun (or at least important), everyone is an expert, everyone thinks the others are doing it, so everyone thinks they should do it, too.

Eventually, many don’t do it at all. I mean, security.

The fact of life is that the broader IT industry is mostly helplessly immature when it comes to security. Broadly speaking, the smaller the company, the more sloppier the approach to security becomes (with the expected outliers in both directions:  small companies taking it seriously while some big ones proving to be hopelessly outdated). One of the fundamental problems is that more often than not, we pick one feature or function as our “root of trust” (think a firewall; encryption; VPN etc) and declare that, since we have that in place, our security is solved and we are 100% secure. What happened to Equifax is a good proof point for just how seriously flawed this thinking is. In reality, security is always about finding the risk versus cost balance and then put sufficient, diversified and layered security solutions in place. Think about the recent vulnerability discovered in the WPA protocol used for WiFi security: one easy way of mitigating it would have been to always use a VPN on top of it – breaking WPA would have resulted in just getting access to encrypted (and still protected) traffic. Did we all use VPNs? “Of course” not, as WPA provided a strong enough encryption. Yepp, until proven the contrary.

To be fair, it’s not only about sloppiness. We are experiencing three trends that put us into the current situation.

  1. Expansion of digitalization. What used to be confined to the “IT industry” is fast expanding into virtually every other domain; companies that few years back had little to worry about cybersecurity are suddenly connected and use IT systems for business critical purposes (accounting, inventory tracking, taxes, CRM etc). Hairdressers, small shopkeepers, artists, shoe repair shops, restaurants and so forth are connected, use email, web services and send as well as store their data online – and all of them represent a new likely target for hackers out there. If all this would not be sufficient, privacy concerns lead to regulators setting – rightly so – stringent rules that add to the challenges facing companies small and large (think of the EU’s General Data Protection Regulation, or GDPR for short)
  2. With the advance of digitalization, the intrinsic business value as well as complexity and exposure of IT systems is increasing exponentially, leading to a fast expanding threat landscape and inadvertently, increased sophistication of attacks (the higher the potential reward, the higher the incentive and thus higher the sophistication and effort put into it)
  3. Points 1 & 2 above lead us to the third trend, explosive growth of the cost of security. The first multiplier is the sheer amount of newly digitalized companies; the second one is the exponential expansion of threats and attacks. We are facing financial shortages (by small companies), expertise shortage (by everyone, driving up the HR cost) and, as a consequence, a losing battle against the hacker community

What can we do about all this?

The IT industry went through a similar challenge and transformation over the past decade: the transition to cloud. Cloud was driven by pure economics: low server utilization, the rising operational costs led IT managers to start looking for utilization efficiencies (virtualization to the rescue), economies of scale (consolidation within and across organizations) as well as shift from CAPEX to OPEX models (the foundation of the cloud business model). As the threat landscape is expanding and the cost of mitigating security risks is growing, a similar consolidation is starting to happen for security too – not least enabled by virtualization and cloud.

However, there are several twists.

First of all security tends to be much more localized, technology wise as well as due to regulatory constraints. Hosting a firewall for a company based in Germany somewhere in a data center in the US is also bringing more challenges than benefits (VPN management is being one). Second, there is a trust deficit between enterprises and large cloud providers: especially when it comes to security and privacy, there seems to be a preference towards local providers.

This is where service providers come into the picture. Several surveys have shown operators to be among the most trusted partners by most enterprises; they are also highly localized and used to comply with regulatory requirements; finally with NFV, they are putting in place the right infrastructure to offer reliable security as a service.

It’s a clear win-win setup for both service providers and enterprises, small and large alike. Offloading management of their security to service providers enables enterprises to shift the cost structure from CAPEX to OPEX and reduce cost by tapping into pooled competence; on the other hand, service providers can leverage a growth area they so much need while tackling the cost issue through scale. In addition, service providers have a long tradition in co-operating with each other, which would enable a global threat intelligence sharing infrastructure, further increasing the appeal of security as a service offered by operators.

Much like Amazon they can turn necessity – ramping up their own security – into a business opportunity unlocking future growth.