Tactical Advice

It’s True: The Enterprise Castle Has No Walls

Companies should think less about building an impenetrable castle and more about defense strategies against breaches.
It’s True: The Enterprise Castle Has No Walls
Credit: iStockphoto/ThinkStockPhotos

Some parents are so overprotective of their children, afraid of their being harmed or exposed to dangerous elements out in the real world, that they prevent them from having fulfilling life experiences. The movie “Bubble Boy” encapsulates such thinking perfectly.

The problem with that approach is that it unfairly burdens the child, leaving no room for serendipity, experimentation or growth.

In some ways, IT security has had a similarly paternalistic approach to its workers. Cumbersome, intrusive and inconvenient IT security solutions can make workers averse to the security altogether. In the age of shadow IT, when the IT department gets in the way of work, workers will use consumer technology to get around it.

That’s why HP security strategist and blogger Rafal Los thinks it’s time for CISOs to ditch the castle or fortress approach to “keeping the bad guys out.” Defining just who the bad guys are is quite difficult, when in fact some of the perpetrators letting the so-called bad guys in — either knowingly or unknowingly — are co-workers.

In Los’s words, the modern enterprise is a castle without walls. He elaborates in a post on his blog:

I think it’s important to have this happen industry-wide because we as a profession need to shift the way we think. If we can agree that the analogy is bad, and the thinking around it is outdated, perhaps the thinking will be pervasive into enterprise behaviors and things will start to change.

I’ve been talking a lot lately (and will be doing more of it) about modernizing your security programs to be ‘defensible.’ Defensible is an interesting word because it builds upon the thinking that security has used over the years, but doesn’t strive for absolutes. ‘Secure’ still unfortunately is the target of many CISOs and even worse company leadership like the CEO or board of directors. We collectively know from experience that ‘secure’ is a mythical unicorn and doesn’t actually exist... So the leap in logic is that we move to something that’s defensible.

Defensible, in Los’s view, means that companies and CISOs think comprehensively about their organization’s vulnerabilities and plan defenses around them instead of striving for absolute, 100 percent, locked-down, impenetrable protection. That idea of IT security, as he points out, is unattainable and unrealistic.

The question is, are company leaders ready to shift their idea of IT security to something that’s not ironclad? They might say “no,” but the truth is that it never was ironclad to begin with. In fact, a “secure” approach to IT has lulled many small- and medium-sized businesses into a false sense of security.

A 2012 survey by Symantec found that 66 percent of SMBs are not concerned about internal or external threats to their IT. Meanwhile, recent survey data found that 40 percent of businesses with five to 249 employees experienced a breach in 2011, and that 96 percent of those attacks could have been avoided through basic network security measures.

Such misguided confidence backs up Los’s assertions, and suggests that every CISO should be hard at work tearing down their companies’ castle walls.

Sign up for our e-newsletter

About the Author

Ricky Ribeiro

Online Content Manager

Ricky publishes and manages the content on BizTech magazine's web site. He's a writer, technology enthusiast, social media lover and all-around digital guy. You can learn more by following him on Google+ or Twitter:

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.