IT departments spend hundreds — maybe millions — of dollars a year on network security systems to protect the organization from ever-increasing threats.
But a Symantec Corp. technology evangelist says the worst thing they do is sometimes turn some — or all — the capabilities off to boost network performance.
“There’s illustration after illustration out there that point to huge mistakes on the part of IT saying turning a dollar is more important than security,” Neils Johnson said in an interview Wednesday at the SC Congress security conference in Toronto. “It may be in the short term; long term that philosophy is going to own you.”
The second biggest mistake IT professionals make is believing anti-virus protection isn’t needed. It has moved down the list of priorities, he said, but without it the organization is vulnerable to virus-born attacks.
Finally, many don’t do the basics like keeping systems patched. At least 75 per cent of network breaches wouldn’t be an issue if security-related software is up to date. he said.
Johnson was at the conference to give a spirited talk on the need for security professionals to focus on risk definition and mitigation rather than IT infrastructure.
He doesn’t suffer from opinions — or energy, striding across the stage and letting loose with entertaining broadsides:
–“If your priority is dealing with risk from an infrastructure perspective, you are so behind the curve. You have to deal with (protecting) the infrastructure, but today it is so not much about the infrastructure” but protecting corporate data;
–“Bad things happen to good people:” Risk comes from everywhere — the threat landscape, HR, litigation — and security pros need to ensure they can have IT systems up and running after any malady hits;
–“I like people … but people by and large bring with them three strikes: They are inefficient, ineffective and error-prone … Anything I can do to put an air gap between the information and the infrastructure, and protect both from people, in my mind is risk mitigation. I want to eliminate people to the best of my ability from the equation.”
–Employees, customers, supplies, vendors are “egomaniacs” who want their information on their screens and don’t care about separating personal from corporate data. That’s IT’s problem, the figure.
–People talk today about big data, but when data mining huge amounts of data becomes common it “will change the way you and I consider security from an overall perspective.” Target number one will be the huge repositories of data — on premise or in the cloud — organizations have been stockpiling. And that will impact today’s careful plans for disaster recovery and business continuity plans, he suggested.
One problem is organizations have departments that don’t work together, he said. “Someone has to stand up inside the organization and say it’s time to stop and understand we’re all going to play nice in the sandbox. Today that’s nearly a requirement. Tomorrow it will absolutely be one.”
Beyond that IT departments have to take what he called a three-layer information-centric approach to security. That includes securing infrastructure with traditional tools; an information intelligence layer (classify data to see what needs to be stored, what can be discarded, what can be put in the cloud and what has to be encrypted — and he believes that everything except the cafeteria menu should be encrypted); and an information governance layer (sets policy on information governance, access and compliance).
There are those that think putting data in the cloud is safer that on-premise because service providers look after security. Johnson warns caution.
“I’m very ambivalent when it comes to security in the cloud,” he said in the interview. “There are service providers that are very capable and frankly, some are more astute than IT departments. On the other hand there are cloud service providers that care more about turning a dollar and getting their volumes up than keeping security tight.
“How do you separate those two? It’s about having an intelligent, clarifying with your cloud service provider, prepared to ask very, very hard questions. And if you’re not getting the answers you want you go to the next provider. Questions like is my data going to be co-mingled with everyone else’s and you’re just going to put markers to separate? Is there separation of duty so no one person has access to all my data? Show me how I know all my data generated in one country stays there.
“I would have a laundry list of what I expect from a cloud service provider.”
And, he adds, everything in the cloud has to be encrypted.