The security breaches suffered by Sony and RSA revealed in dramatic fashion how perceptions of security can come apart from the reality. That global companies, perceived as leaders in their fields and assumed to be competently run can be humbled is a key lesson to be learned from the events of 2011, says Ovum analyst Andy Kellett.

“The fallout from these breaches has been very interesting. It’s made us look at a bigger overall picture: Sony and RSA are thought of as very good companies, they are seen to be very well organised,” he says. What many observers have concluded is that if RSA and Sony can fall victim to cyber attack, then many others can too, he says.

Such breaches also serve as a useful reminder about how far security in practice falls behind some of the aspirational talk that goes on among security professionals: in reality most are still struggling to master basic issues. An example is provided by the emerging trend towards Bring Your Own Device (BYOD) practices in the workplace.

“BYOD is somewhat over-hyped in my view. Most organisations still have enough problems with managing their own devices. I think one of the big issues for security at present is broader. It’s mobility: where do we want our people to work from?

“What are they struggling with? Well, does the organisation understand who’s got copies of what? What can people do with data that the organisation can’t see? If you think no further than the humble USB stick it is obvious: organisations that lose data on these sticks don’t even know the data was there until afterwards when the breach has happened.”

It is unwise to assume that any easy fixes will come from Data Loss Prevention (DLP) technologies, even though these products are maturing, says Kellett. “I was once at a conference session about DLP systems, back in the early days. The message was that this was wonderful, it will help you classify all your data. The CISO of a large financial institution said: ‘The reality is that if I do all you want it will take two and a half years just to get to the ‘good to go’ point, the first base. But then we would have to do it all over again’,” Kellett says.

Of course, security is about more than just data and devices. There are people to consider too: another part of the fallout from the serious breaches of 2011 is increased tension between security and business imperatives that require many different people to have access to corporate networks and data. “At the same time as we’re getting all these lock-down requirements, organisations are pulling in the opposite direction: collaboration with others, using contractors and consultants, and these all need the same access as trusted employees,” says Kellett.

For these reasons identity management is a key area needing further work. “McAfee once said they wouldn’t go there, but they have, as have Symantec. HP has gone back into identity management. It is a key requirement now.” This brings us back to arguably the most serious security incident of 2011: the RSA breach and the compromise of its Securid system of tokens for generating one-time passwords. Regardless of the breach, it may well be that such technologies will become obsolete, says Kellett. “If you think about it logically mobile phones can do all this. Does the mobile replace tokens?”

That scenario may be some way off but in the short term CISOs may find themselves having difficult conversations with their boards, says Kellett. “One of the messages that came out of this year was that you either have already been breached, or will be. Either way you have to do something about it, but as a CISO you might find yourself in front of the board being asked why, after all the spending, you still can’t protect the company.”

Did you like this article?

If yes, please click the LIKE button and share it with your friends!

Express yourself!

Start or join the discussion!

 Comment (1)