The conundrum that faces today's security professional is that convergence of physical and logical security is creating “Perfect Storm” conditions – as critical contributing factors have all reached similar stages of maturity at the same time.
The Perfect Storm has indeed arrived: Having multiple factors reach the right stage of maturity at the same time means convergence has become something of an unstoppable force. Here are the main factors:
* Competitive pressures of globalization driving customer demand for innovation;
* Emerging technologies are popping up in places where security is often an afterthought;
* Corporate data has become more mobile -- leaving a corporate perimeter that can no longer be clearly defined; and
* The volume and rate of change globalization is demanding has outpaced the business processes that surround them.
Globalization Drives Innovation
Globalization is creating a demand for new products and services as competition for customers becomes fierce. CEOs understand the “innovate or die” mentality, and they are changing entire business models around what today's customers want. Companies that only 10 years ago were arch-rivals are now helping each other to find customers. In some cases, a company can be both a top-line customer and a supply-chain competitor on the same contract.
Another change brought about by globalization is that more businesses today are built around the buying and selling of information. This has helped spawn the era of the “knowledge worker,” who is demanding an onslaught of emerging technologies. Add to it the merger and acquisition mania of the last five years and it's no wonder at all that 2006 will forever be known as “The Year of The Data Security Breach.”
As security professionals, we have invested millions on technology and countless hours developing best practices to write into corporate security policies. We have toiled endlessly for years to protect and defend corporate networks against daily attacks that never end; yet, we know it's not a matter of if a security breach will occur, but when.
So is the hacking community actually winning? Will convergence put us on a path to safety or is it a path to almost certain ruin?
As always, in chaos lies great opportunity. Security as an industry is maturing rapidly and with good reason. With every day and every security event, we become wiser. We have more metrics to measure against -- and what can be measured can be better managed.
Lessons From Hackers
We can take a lessons learned approach by studying what the hacking community is doing that is working, by looking to see how and where they are having success. We can leverage those successes together with the factors that are driving the Perfect Storm of convergence and create successes of our own. Here's a start:
* Innovate -- Professional hackers are extremely innovative. There's a new attack everyday. They are brilliant in their creativity and they are very strategic. They study their prospects and plan their attacks. They thrive on change. If a new process proves effective, they repeat it until the very moment it does not and then they change again.
CEOs that build security into business strategy are staying that much more ahead of the professional hackers. They build security into their emerging technologies and innovative new services during the planning stages. They thrive on change, and if a new process proves effective, they repeat it until the very moment it does not. Then they change again. The CSO in this type of company has “a seat at the table.”
* Go where the money is -- As Dr. John Atalla, known as the Father of PIN puts it, Jesse James robbed banks because that's where the money was. Profit is a compelling motivator for professional hackers -- they go where the money is. The point of their entry; a software vulnerability, a USB drive, a propped open exit door at corporate headquarters or an unattended laptop is irrelevant -- the goal is the same.
As security professionals, the lesson here is to go where the money is. CSOs are constantly fighting for more funding, and in some companies, just to maintain their current budget.
In the meantime, which department gets a significantly higher percentage of the corporate budget? Marketing! Who is responsible for development of intellectual property? Marketing! Yet protection of that intellectual property falls heavily on the shoulders of the CSO.
What if security billed marketing directly for that service? Shouldn't marketing pay for identity management? Isn't marketing the department that most values knowing who the company is doing business with and the details of those transactions around the Globe?
* Follow the path of least resistance -- Convergence enables access to proprietary data at all times. It's on PDAs, 10gig Ipods and USBs built into watches. It can be stored on pen-sized cameras and then e-mailed anywhere around the world in minutes from Web-based Voice over IP (VoIP) phones.
Professional hackers follow the path of least resistance. We've chased them away from our well-tuned networks and toward whatever corporate processes may be vulnerable. They are targeting the unaware and helpful employee so they can come into our networks, seemingly authenticated.
We spend our entire careers trying to educate, convince and cajole our companies on why security should be as important before a breach occurs as it is following one. The lesson from the hacking community is to follow the path of least resistance.
Thanks to the much-publicized data security breaches of the past, security has finally become marketable; in fact, it has become a competitive business advantage. Several recent studies have shown that customers are willing to pay more for services and products that they perceive to be secure.
We need to start engaging corporate sales teams and help desks in our missions to build security into business strategy. These business stakeholders share our mission -- they want a competitive business advantage and a chance to meet their customers' needs. It is now the path of least resistance.
* Get Personal -- One of the latest trends in social engineering-based attacks is personalization. Hackers are targeting specific companies with laser-focused attacks. Phishing e-mails that address corporate executives by first name mentioning actual press releases that entice them to click on a link they otherwise wouldn't are a common example. Investment banks that get held for ransom by hackers just prior to the opening of an initial public offering (IPO) is another.
Identity theft has obliterated the old adage, “It's not personal. It's business.” When it comes to identity theft, however, it is personal and it is business. The CSO can't be everywhere that proprietary data is, but a team of people can be. An educated and aware employee can be the eyes and ears of the CSO -- and that means training is key.
But while standard security awareness training is better than none, true adoption means proactively gaining employee mindshare. Working with each line of business to show each employee how to recognize and resist a social engineering attack and why it is important, is one of the most cost effective investments a company can make.
Convergence Creates Opportunity
Emerging technologies, innovative new business models and globalization are combining to unearth a whole new set of business opportunities. Yet all of this change is has opened a Pandora's Box of security challenges, and it will take completely disruptive approaches to solve them.
Here lies the opportunity for CSOs to leverage the perfect storm of convergence and change the course of security history. We can move from being reactive to proactive, from being a cost center to a profit center and from being at the lagging edge of innovation to the leading edge.
Jackie Bassett is founder and CEO of BT Industrials Inc. Her expertise is in identifying ways to improve business processes, productivity, profitability and shareholder value using security. She holds an MBA from Babson College and is co-Author of an upcoming book , A Seat at the Table for CEOs and CSOs . As an active member of Business Executives for National Security (BENS),Bassett works extensively with CSOs and CEOs of Global 500 companies. She can be reached at firstname.lastname@example.org .