Thanks to political scandals involving alleged hacking conducted by agents acting on behalf of Russia and a multimillion-dollar drop in the price Verizon is going to pay for Yahoo because off multiple security breaches, many boards of directors are understandably starting to question the state of IT security within their companies.
Arguably, awareness of IT security as a risk management issue is long overdue. Almost invariably, the board of directors of most organizations is going to be asking for some proof regarding the level of IT security employed by their organizations. For most IT security professionals that means conducting an audit.
To make it simpler for IT organizations to get through an audit ISACA, the non-profit association for IT security professionals, has created a model that walks organizations through 98 tasks that should be addressed in a security audit.
Of course, conducting an audit is disruptive. Just about every IT professional views an audit of any kind as a waste of their limited time. In fact, many of them would almost rather be doing almost anything else.
Because of that issue, IT organizations might want to start thinking about security audits as a continual process rather than an event. Of course, it helps tremendously if organizations invest in visualization tools that help automate a lot of the discovery process.
At the same time, however, security as a process is also starting to get backed into various IT platforms. Many IT organizations, for example, now view network virtualization as a means of engineering security into the network in a way that also serves to reduce the pain and agony associated with passing an audit. Network virtualization software essentially microsegments the network in a way that enables IT organizations to implement firewalls as a piece of software. Each microsegment by isolates network traffic as it moves east-west across a data center. That approach means that should there be a breach the ability for malware to laterally spread across the data center is severely constrained. To make matters even more interesting, some vendors are now talking up the concept of nano segmenting networks to apply the same segmentation concept to containers such as Docker running in a microservices environment.
In general, network virtualization is an example of how security can be embedded deeply within an IT environment versus being bolted on after the environment has been designed and deployed. IT organizations that want to spend less time on audit need to take a giant step back to reconsider the various platforms they employ against how much time and effort they need to put into securing them and conducting an audit to prove that security is being consistently applied.
There, of course, will never be perfect security. But while the increased focus on security is welcome, the more time IT organizations spend on it, the less time there is to accomplish anything else. Obviously, two or more decades of insecure legacy infrastructure is not going to be replaced overnight. But every request for a new IT platform going forward should include a provision that addresses the impact that platform is going to have on security economics as part of the return on investment (ROI) equation. After all, at this rate the biggest IT organizations will soon face is not necessarily the size of the IT security budget, but rather the amount of time and effort required to both maintain that environment and eventually pass an audit to prove it.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.