They say that every silver lining comes with a cloud attached and that’s certainly true of today’s transformative technologies. CEOs and the board rightly see BYOD, Cloud and IoT initiatives as a gateway to a world of increased productivity and growth. But for IT and information security departments that same gateway leads somewhere quite different: to a networked environment littered with security vulnerabilities.
Gartner says that 38% of all IT spending is now happening outside the IT department, with the figure continuing to rise. And as the spending goes, so does the control. Without control of the technology, IT and IS lose visibility of any resulting security issues.
BYOD and Cloud users have already shown a propensity for poor security practice, with inadequate passwords, insufficient device control and monitoring and security measures that simply aren’t rigorous enough for the enterprise environment. Outsourcing adds problems too, with many CIOs uncertain about their ability to assess the security of their cloud providers.
IoT looks set to make matters even worse. Suddenly the infosec area of concern extends way outside the network perimeter, through sensors and gateways, potentially into to customers’ facilities and homes. For IoT to fulfil its promise, these new touch points must be easy to access, yet remain tamper resistant and tamper evident even though constantly connected.
Worrying? You bet. A lost cause? Absolutely not.
The answer lies in risk and in reintegrating the IT and IS departments back into transformative technology based developments within the enterprise. CEOs need to release funding to prioritise the implementation of IT security risk assessments.
The key point is this: without assessing the risks associated with this profound technological change, corporate IT teams will lack the insights they need to defend their sensitive corporate data as they embrace their organisation’s digital transformation.
There are unparalleled security challenges facing IT and IS departments as they seek to integrate the new with the old, without impacting the end-user experience or the performance of their systems.
Only by reinventing how security risk assessments are performed, together with the adoption of risk based, adaptive, multi-factor authentication, can a bridge be built between IT, information security and other departments, that enables firms to strike an effective balance – or ‘identify appropriate levels of friction’ – between the adoption of protectionist and, in some cases, interventionist information security policies. Once these measures are in place, the adoption of enabling technologies capable of fostering innovation and improving business performance can proceed unhindered, confident in the knowledge the firm’s sensitive data is appropriately locked down.