Leveraging the “Perfect Storm”of Convergence

Corporate security can take a lesson from techniques that hackers use to breach the very networks the corporations are trying to protect


The conundrum that faces today's security professional is that convergence of physical and logical security is creating “Perfect Storm” conditions – as critical contributing factors have all reached similar stages of maturity at the same time.

The Perfect Storm has indeed arrived: Having multiple factors reach the right stage of maturity at the same time means convergence has become something of an unstoppable force. Here are the main factors:

* Competitive pressures of globalization driving customer demand for innovation;

* Emerging technologies are popping up in places where security is often an afterthought;

* Corporate data has become more mobile -- leaving a corporate perimeter that can no longer be clearly defined; and

* The volume and rate of change globalization is demanding has outpaced the business processes that surround them.

Globalization Drives Innovation

Globalization is creating a demand for new products and services as competition for customers becomes fierce. CEOs understand the “innovate or die” mentality, and they are changing entire business models around what today's customers want. Companies that only 10 years ago were arch-rivals are now helping each other to find customers. In some cases, a company can be both a top-line customer and a supply-chain competitor on the same contract.

Another change brought about by globalization is that more businesses today are built around the buying and selling of information. This has helped spawn the era of the “knowledge worker,” who is demanding an onslaught of emerging technologies. Add to it the merger and acquisition mania of the last five years and it's no wonder at all that 2006 will forever be known as “The Year of The Data Security Breach.”

As security professionals, we have invested millions on technology and countless hours developing best practices to write into corporate security policies. We have toiled endlessly for years to protect and defend corporate networks against daily attacks that never end; yet, we know it's not a matter of if a security breach will occur, but when.

So is the hacking community actually winning? Will convergence put us on a path to safety or is it a path to almost certain ruin?

As always, in chaos lies great opportunity. Security as an industry is maturing rapidly and with good reason. With every day and every security event, we become wiser. We have more metrics to measure against -- and what can be measured can be better managed.

Lessons From Hackers

We can take a lessons learned approach by studying what the hacking community is doing that is working, by looking to see how and where they are having success. We can leverage those successes together with the factors that are driving the Perfect Storm of convergence and create successes of our own. Here's a start:

* Innovate -- Professional hackers are extremely innovative. There's a new attack everyday. They are brilliant in their creativity and they are very strategic. They study their prospects and plan their attacks. They thrive on change. If a new process proves effective, they repeat it until the very moment it does not and then they change again.

CEOs that build security into business strategy are staying that much more ahead of the professional hackers. They build security into their emerging technologies and innovative new services during the planning stages. They thrive on change, and if a new process proves effective, they repeat it until the very moment it does not. Then they change again. The CSO in this type of company has “a seat at the table.”

* Go where the money is -- As Dr. John Atalla, known as the Father of PIN puts it, Jesse James robbed banks because that's where the money was. Profit is a compelling motivator for professional hackers -- they go where the money is. The point of their entry; a software vulnerability, a USB drive, a propped open exit door at corporate headquarters or an unattended laptop is irrelevant -- the goal is the same.

This content continues onto the next page...