There is a basic recipe for network and computer security that most organizations follow without question: The network firewall guards the perimeter, and anti-malware software protects the various endpoints. Security is based on protecting the individual servers and PCs inside the perimeter from the various threats outside of the network perimeter. However, that formula is no longer sufficient.
The RSA-sponsored Security for Business Innovation Council has released a new report titled Transforming Information Security: Future-Proofing Processes, which reveals how current security processes and perimeter-based security controls are no longer an effective defense. The report also shares five valuable recommendations to help organizations adapt and evolve information security to defend against current and future threats, and aninfographic that sums up the recommendations.
The network perimeter hasn’t really existed for some time now. When users accessed the network from desktop PCs—anchored to desks sitting in cubicles in an office building—there was a clear line of “inside” and “outside” the network. From the moment laptops came into the picture though, that perimeter started to fade away, and when smartphones and tablets entered the mix, the entire concept of “inside” and “outside” dissolved.
The rapidly changing technology landscape, and quickly evolving threats, require organizations to rethink their security strategy. Rather than guarding servers and protecting endpoints, security needs to have a more holistic goal of defending critical business processes—including whatever servers, PCs, or other assets those processes might depend on.
When you consider the bigger picture, the traditional approach to security was also ultimately about safeguarding crucial business assets. The goal was to ensure that the organization could detect and block attempted attacks, and that critical business functions were resilient enough to continue functioning through a successful attack. That goal hasn’t changed, but the nature of technology and threats today compels a different approach to achieving it.
Here is a brief overview of the five recommendations in the report:
- Shift Focus from Technical Assets to Critical Business Processes: Move away from a strictly technical viewpoint of protecting information assets and consider how information is used in conducting business. Remember, you’re not trying to protect a server, you’re trying to protect the capabilities the server provides or the data stored on the server. View your security strategy through the lens of the business goals rather than the individual technology assets.
- Institute Business Estimates of Cybersecurity Risks: Develop techniques for describing cybersecurity risks in business terms and integrate the use of business estimates into the risk-advisory process. When you begin to filter information security through its larger business purpose, it’s easier to protect what is most important, and communicating security risks in terms of the potential financial impact on the underlying processes helps executives and other managers understand and support your efforts…
Read the full article at RSA: Adapt Your Information Security To Meet The Challenges Of Tomorrow.