Often the conversation about the security of technology systems is parsed in terms that suggest the biggest risk vector comes from small organizations without the IT budget to ensure good security. However recent high profile breaches from the likes of Target and Neiman Marcus has called this perspective into question. New research from security rating vendor BitSight would seem to back up the perception that larger companies in fact pose a real security risk.
BitSight has put together a report detailing the security effectiveness of different companies. Their approach is to create something analogous to a credit score, that analyzes the entire security situation and rates organizations based on externally observable security incidents - botnets, spam, malware, unsolicited communication, DDoS, system configuration, etc. BitSight ran the report across 460 of the S&P 500 (excluding the telcos) and high level findings include:
- During 2013, at any given time, between 68% and 82% of the S&P 500 companies had been compromised with an externally observable event
- Only 18% of companies had strong SSL certificates, the remainder sent data across the Internet without proper encryption
- Only 24% of companies had strong SPF records that could prevent email spoofing… these are some of the largest companies in the US!
So what is going on here? Are the attacks becoming more sophisticated or are large organizations really dropping the ball on this? Well another survey, this time by Trustwave, would seem to indicate that it's very much the latter. Trustwave surveyed 800 IT professionals and looked at the top security pressures they face. It tried to differentiate between external pressures (new attacks, more frequent attacks) and internal ones (reduced budgets etc). The results are somewhat sobering:
- 4 out of 5 IT pros were pressured in 2013 to rollout IT projects despite security issues
- Businesses Put the Blinders On: 73% of respondents believe their organization is safe from security threats
- 85% of IT pros say a bigger IT security team would reduce security pressures and bolster job effectiveness
- From the Board Room to the Executive Bench: 50% of IT pros said they feel the most pressure from their organization’s owners, Board, or C-level executives when it comes to security
It seems that in a headlong race to become more agile and deliver on the innovation that the organization and the marketplace demands, enterprises are taking a fairly slack approach towards security. But perhaps this is an unavoidable reaction to the pressures organizations are under - is it feasible to deliver product more rapidly while still remaining secure?
I believe that to an extent these statistics are a direct result of the move towards the "lean enterprise". I speak with many large enterprises who are trying to emulate Eric Ries' Lean Methodology for startups - in doing so they're keen to roll out minimum viable products to test a business hypothesis. While this is an admirable aim from the perspective of increasing innovation, it leaves significant gaps when it comes to security. I'm reminded of the book The Phoenix Project, a novel that looks at the reality of one fictional enterprise trying to balance agility with robustness.
It seems to me however that there is a resolution to these problems, but to gain the edge, organizations need to rethink the fundamental systems they use. The current status quo of having core systems, point applications and the operating platform as distinct and siloed entities can't deliver agility combined with robustness. Rather organizations need to find a new sort of operating system that allows them to create new applications but within a strong governance wrapper. Seemingly this is the reason that Warner Music Group famously ripped out its technology systems to create an entirely new stack, one that mixes high degrees of flexibility with overall compliance.
Trying to shoehorn agility onto existing systems is a guarantee of problems - the recent large enterprise breaches have show this. Enterprises that truly want to be innovative within the constraints of what they do need to rethink their core systems and revisit the way they operate. Only by doing this will they be able to reconcile the various pressures they feel.
