The theory is you want to forecast your business’ needs before they find another way to serve them. When we build our three-year road map one of our goals is to envision early what our business, the industry, and our vendors are working towards. – Marc Kneppers, Telus chief security architect
In the world of security, it is often said that there is no perimeter to secure anymore. With the boundaries between networks and devices blurring, many are taking a people-centric approach to information security to avoid a major cyber security event. And companies are investing more than ever in cyber security – according to IDC Canada, security spending will increase in Canada in 2015, one of the main areas of technology spending growth.
Given that business dynamics is fluid and ever evolving, this can create challenges for IT leaders with respect to forecasting user needs and work behaviors. Few know this better than Telus with their Work Styles program which aims to have 70 per cent of team members working remotely or at home. Telus is Canada’s fastest-growing national telecommunications company with $12 billion of annual revenue and is at the forefront of new and innovative communications solutions.
To understand the challenges and strategies of adapting to the new world of work with respect to information security, I spoke with Marc Kneppers, chief security architect at Telus. Kneppers shares his guiding principles on security and what we can learn as Telus continues to accelerate into a mobile-first world for their 40,000+ employees.
Brian Clendenin: There are many security models, what are your guiding principles for creating a security strategy?
Marc Kneppers: “I believe in the community approach – how you truly partner with the business. A lot of security teams take a consulting stance. If you don’t know where the technology and the business are going then you can’t plan your strategy. One of the first goals is to understand where you want to be three years out … and it is very intuitive. Then you need to break that down into steps of what you need to do to get there. The way we’ve structured it at Telus is to break it down into focus areas such as core networks, mobile networks, and internal enterprise technologies. That then lends itself to roadmaps – so if you look at data security as a silo … you can have a one, two, three-year roadmap for that area. Within that roadmap, the first year really becomes tactical projects. There are likely some systems that need to be upgraded and some fixes. The second year becomes proof of concepts – things we think are on the verge of fruition. And the third year, we throw in R&D items where we and the industry at large simply don’t have the answer yet. In a nutshell, you are aiming for a long-term view out.”
Clendenin: What workforce trends are impacting your strategy development?
Kneppers: “Telus has a strong mobile worker initiative, and through the use of innovative technology, our goal is to have up to 70 per cent of our team members working at home or remotely – Telus is very mobile. We have to consider this when developing our security strategy. It’s interesting, the way I’m viewing it is that we used to have three or four perimeters: a physical perimeter, network perimeter, user perimeter, and data perimeter. And, you never thought of them as separate because they all coincided – they were a building. All of that has changed. What I’m seeing in systems architecture often times is that we are still trying to hold two or three of those perimeters together as if the user perimeter still has to tie to your data perimeter – and I don’t think that is true anymore. If you look at cloud, your users are going to be at home and your data is going to be here and there. I think it’s more useful to start breaking up those perimeters to understand the different controls that need to exist.”
Clendenin: Tell me more about forecasting business needs?
Kneppers: “The theory is you want to forecast your business’ needs before they find another way to serve them. When we build our three-year roadmap one of our goals is to envision early what our business, the industry, and our vendors are working towards. Because if you are not trying to forecast where they will be, you (IT) will be stuck in reactive mode and find out people are using an unexpected solution, and now it’s a security problem. I believe the CSO’s role is to secure both business-driven and security-driven initiatives. On the security side, you want to forecast your own needs within the security roadmap before solutions are offered to you by the market, so that you ensure you develop solutions that meet your business’ specific needs rather than seek out the solutions that are trending.
Clendenin: How do you balance technology ease of use for employees and security?
Kneppers: “That is a hard balance to find. I think some of that comes down to prioritization. The key is to give team members the right tools that blend usability with an underlay of strong security. A lot of times, we have learned how to achieve this in action. For instance, in one situation, we implemented system policy restrictions and then enhanced our work processes to allow team members to work from home. Then, we had to swiftly adapt the tools and policies to meet the new needs of working remotely. There is always that business balance.”
Clendenin: What about business risk? Who is responsible?
Kneppers: “I do believe in the risk/value equation. And, I believe a business can absorb risk, but the onus is on the security team to accurately represent the risk in a consumable fashion and not blow it out of proportion. For example, in the case of the cloud, a security team has to be able to concretely express to the business that they are taking information out of the enterprise perimeter, moving it somewhere else, and then have a dialogue about who can access it and what protections are in place. The business can then make an informed decision based on a robust risk assessment. At Telus, given we are a customer-facing enterprise, it’s not just the security team but every team member that is responsible for safeguarding our assets and customers’ privacy. ”
Clendenin: Always difficult to do, how should one look at quantifying the financial risk of a security breach?
Kneppers: “Security is equally important as many other business risks. If you look at security events these days, they stay in the news for a while, because people are curious. All it takes is one security breach to undo all the best efforts. Modern-day threats have evolved to the level that you can put a whole company at risk on a security breach, so it’s critical that businesses small and large prioritize their security.”
Today, more than ever, information security is everyone’s responsibility within an organization. The challenge for IT leaders and business leaders alike will be to continually think about future user demand and the work environment, and take the appropriate steps to secure corporate information without making security processes too restrictive. You want to avoid the scenario where people circumvent IT seeking more user friendly tools and end up creating a shadow IT organization – thereby increasing corporate information security risk.
Think long term, look outside your organization for trends in the market, and educate your workforce on their responsibility to help protect corporate information as part of their daily practice.”