While cyber attacks have dominated the news recently, we all know that physical security is just as critical a component of the security plan. A breach in physical security that puts corporate assets at risk will quickly undo the work done from IT to secure data and IP. Physical security is a critical issue in any security strategy but is especially heightened at the edge (designed to bring computing closer to the end user to reduce latency). The edge represents network outposts prone to accidental or intentional tampering and requires special consideration for monitoring physical threats.
Smart sensors (enabled by Internet of Things (IoT)), for example, can be used to sense environmental threats via a text message alarm or email when temperature rises above an acceptable threshold. Sensors also supply data that needs to be correlated with other data, analyzed, and acted on. With the increased transition to digital formats and the need for digital transformation in the enterprise, the days of separate networks for physical and data security are all but gone. Technology innovations that can meet the needs of the business to digitally transform will require fundamental changes to networking to truly enable a distributed, cloud-first, mobile-first business world. Innovation and competitive edge, not outdated hardware, will be the ultimate drivers in security network upgrades.
Applications deployed on staff mobile devices are being combined with mass threat notification systems that specifically target at-risk personnel based on last known IP address. Once dispatched via analog radios, mobile guards can be automatically alerted about incidents via smart devices based on their nearest-location, availability etc. Once used for basic HVAC and machine maintenance troubleshooting, heat sensors are increasingly being used to predict optimal maintenance and end-of-life replacement initiatives.
These types of transformational scenarios mean security leaders need to think about IT and physical security more holistically to meet the performance needs of the business and to protect against threats ranging from environmental to human. Leaders considering such innovative solutions acknowledge that these solutions demand more edge strength, storage, and processing power that only modern networks best provide.
So how do a CSO and CISO decide that an organization’s network needs to be upgraded to accommodate increased devices, demand for data insight, protection of information, and possible intrusion at the edge?
One: Strategic Alignment
The technical path towards meeting company requirements for future growth and other requirements are of great importance to any technology project. A company merger or acquisition, for example, will see the number of users, devices, and servers grow and require additional support for the expanding network. Network designers need to meet with business stakeholders and understand not only their strategic goals but the applications and scenarios that are needed to outperform the competition. The story the business tells in the aggregate represents the holistic picture and requirements that incremental, IT-driven, bottom-up network upgrade projects are unlikely to address. The initial network upgrade plan must anticipate what the company is going to require three to four years from the completion of implementation to be successful.
Two: Assessment and Baseline Documentation
The CSO and CISO need to establish the baseline network and document the detailed layout of what is already on site and current conditions of the network components. This inventory and assessment documents things like device name, date of purchase, warranty information, location, brand and model etc. It also should answer questions like; how many users are currently on the network? How many networking devices are installed in your network? What functions do they perform? How does the business connect to the Internet? What is the Internet performance and does the connectivity need to be upgraded? Does the equipment that provides the connectivity also need to be upgraded or replaced? What applications does the network support? What is the current performance when applications, especially video and voice, are used?
Ultimately, this will be used by the network design team to determine what new equipment is required to strengthen the network for current and future needs.
Three: Modeling and Simulation
Required changes can only be determined if, prior to purchase and deployment, use cases coupled with modeling and simulation of the current network can show issues that will need to be corrected.
Four: Cost of Downtime
How much reliability can the company afford? Networks impact system performance, reliability, and scalability. With enough budget allocated the company can maintain nearly 100 percent uptime with complete redundancy in all equipment and services, however, this is extremely expensive to implement and also, highly unlikely. Networks must be designed to reflect the real need for uptime, performance, and system reliability.
Five: Project Approach and Risk Mitigation Strategies
Complexity escalates risk. Breaking down a network upgrade into phases based on priority, impact, and cost can be considered positive to simplify the project and address risk. Fewer requirements and solutions should lead to a more manageable process. However, a network which is in a constant state of flux or preparation for the next upgrade can create stakeholder frustration and stability issues, especially given each network upgrade can generate cascading issues and require new documentation for network diagrams etc.
To consider a total evolution of the network environment is not for the faint of heart. This requires significant planning upfront as well as budget. However, it should generate less documentation over time since the design team won’t have to rework network diagrams each time an incremental upgrade is made. Also, once the network is up and stable it should require much less care and nurturing than a network which is constantly evolving.
What is the best scenario? It depends on how poor the network is, how big the future growth, and what kind of budget and resources are really required for a complete remove and replace initiative versus incremental upgrades over a series of years.
Six: Budget and Resources
Resources and budget are never unlimited. CISOs and CSOs need to thoughtfully prepare a realistic, joint budget ask and make the case for what they will need.
Clearly, the more software or hardware the organization needs to replace that is not covered by a warranty, or as the number of new network components that are needed increases, the higher the budget ask. To prepare the CFO for upcoming budgets ask, consider using relative sizing for the initial meeting. Relative sizing is about comparing different network upgrade projects and agreeing on which ones are smaller (or larger) in size, then assign each project a T-shirt size; small, medium, large, or x-large. At the end of the exercise, all the upgrade projects would have been classified into the different size buckets and can be assigned approximate cost ranges and time frames. They can also be prioritized and placed into years.
This type of initial budget discussion approach prevents building out detailed business and technology requirements and obtaining quotes from vendors just to get directional feedback from the CFO. If the x-large project with the remove and replace strategy costs between 20 and 30 million dollars over two years and the CFO chokes in the meeting and tells you that you have twenty-five percent of that budget ask to work with over three years, you won’t feel as bad or have wasted your time.
Seven: Planning and Project Management
The planning phase is considered the most important phase of any project because the process produces the project plan, which clearly addresses how the project team will manage the project elements. This is the document that should give the joint teams a high level of confidence in the organization’s ability to meet the scope, timing, cost, and performance requirements for the network upgrade. Poor up-front project definition and planning can cause serious problems, such as lack of business support, missed budgets and deadlines, and reputational loss within the organization. Make the decision to upgrade, only if you can allocate budget or headcount to assigning one or more project managers to the project.
Summary
The future network requires a bold vision for digital transformation, a joint approach by the CSO and CISO to solving the problem, and a project that is backed by investments driven by the business.
About the Authors: Heather Zindel is the CEO and Principal for Bloom Consulting Group, Inc., a growth-oriented business management consulting firm that delivers strategic services to marketing, sales, channel, and security executives to maximize business profitability. Bloom’s high-performance team specializes in strategic business and technology management consulting, process improvement, Project Management Office (PMO) services, and Agile transformation services. In 2015, Bloom won the Security Innovation Award from Security Technology Executive Magazine alongside partner Microsoft for its Azure-driven, enterprise Windows application. The app was awarded the Gold Medal by judges for best Collaborative Security Project.
Nicole A. Watson is Vice President, Strategy for Bloom Consulting Group, Inc., where she specializes in building global businesses and brands in the high tech and security sectors. During her 20-plus-year career, she’s led strategy, process re-engineering, marketing, and business development in firms undergoing high tempo transformations. Today at Bloom, she advises global organizations to help land new strategies, targets, business health indicators, and bleeding-edge security technologies.
