By Robert Fitzgerald, Risk & Security Practice Lead
As GreenPages’ Risk and Security Practice Lead, Rob is responsible for designing and building GreenPages’ overall program, including all of the risk and security services and offerings GreenPages brings to market. Rob has spent the past 20 years building and supporting security programs, with a specialty in Cyber Security and InfoSec Operations. He advises organizations on the threat landscape, builds and grows teams, develops risk mitigation plans, architects security solutions, remediates events, provides testimony…and cleans up messes.
Security isn’t a practice, it’s a state of mind. There, I said it. We talk about security as if it is something special, different, or even better. It is not. Security, especially good security, is boring and repetitive, and it’s driven by a mindset that believes it is easier to protect what I have using order and process vs. relying on emerging trends and new tools. This idea doesn’t knock or dismiss the value of tools or emerging trends; instead it is reinforcing security through practice.
The 4 V’s
When I discuss security with clients and prospects, I like to introduce the 4 V’s as a way to keep the discussion practical and relevant.
The 4 V’s are:
Vision: Start with the end in mind. More times than not, I’ve noticed that organizations don’t have a Vision for their Security Program and, in the rare instances they do, the Security Vision is not aligned to the organization's vision of its business and operating models. A Vision provides stakeholders a clear roadmap of what the Program and organization needs; when to schedule and expect implementations and changes; and what the Program and organization will look like at a specific point in the future.
Visibility: You can’t protect or fix what you can’t see. Understanding the “dark alleys” of the network, where there are visibility gaps, and the potential impact of those gaps may become critical to ensuring compliance is met and security is maintained.
Verification: Do what you say you do. Regulators, auditors, customers, and lawyers want to know that the organization “walks the talk.” Whether it is basic compliance or cleaning up after an Incident Response, organizations that can prove “they walk the talk” when it comes to governance and compliance, generally are successful in reducing risk while those organizations that don’t have a disciplined program typically fail to reduce risk.
Validation: Is this what we should be doing? Most organizations have limited resources to dedicate to a specific set of operations. As our clients continue to expand the scope and breadth of technologies they use, it becomes increasingly important for them to identify the core competencies they need to protect and sustain to ensure their competitive advantage, and which functions and operations they can safely outsource to free up critical talent, mindshare, and trapped value.
Digital Transformation and Security
So, how does digital transformation (DT) impact security? In the first blog of this series, we defined digital transformation as: “the integration of digital technology into all areas of a business. It fundamentally changes a business's operation and the way in which it delivers value to its customers.” Digital transformation often requires significant changes in business and operating models; the introduction of new software and tools such as AI, IoT, and analytics; increased usage of data; and much greater collaboration among employees, customers, partners and the supply chain. And, these changes may occur quickly.
Fortinet, a global provider of security tools and services, released its “2018 Security Implications of Digital Transformation Report" that was based on a survey of 300 global CISOs and CSOs. The results were interesting: 92% of respondents said DT has had a large impact on the business, 85% said security is a large hurdle for implementing DT, and there was a wide gap in the number of attacks between top tier organizations (zero attacks that caused damage in 2 years), and bottom tier organizations (16 damaging attacks in 2 years).
The results are not surprising. DT and the rapid introduction of new tools, data, and business and operating models increases the threat surface of an organization. If the new elements are not immediately connected to the legacy infrastructure with appropriate security protocols, you create gaps that present vulnerabilities and exposure.
The report suggested a variety of best practices with an overall view that the use of “holistic and integrated security strategies are more effective than siloed and reactive ones." This sounds a lot like the 4V’s! It appears the top tier organizations effectively implemented more of the 4V principles than the bottom tier.
As we think about Security in the Age of Transformation, I am pushing all the executives I work with to develop a crystal-clear understanding of where they want to go and what they need to do to get there. If security is a state of mind, then we need to be applying security protocols at the start. We need to have a clear Vision, the Visibility to know where we are at risk, the ability to Verify that we are executing the programs in the way we intended, and the intelligence and commitment to Validate that we are doing the right things for the right reasons.
Join us today for our webinar!