Balancing Enterprise Security and User Access: 6 Points to Keep in Mind

Adopt the right mindset, update your methodologies, and don’t forget the human factor.

istock 675913278

IBM and IDG Content

The balancing act that CIOs and CSOs must perform to keep the enterprise secure is a delicate one – guarding corporate assets from both internal and external malicious threats, while also giving all users secure access to data, anytime, anywhere, from any device.

What’s more, this balancing act takes place in an IT infrastructure that’s more complex and challenging than ever. Digital transformation is turning IT into a business partner. Data sprawl is real, across cloud, on-prem, and endpoint. The network perimeter is dissolving. Shadow IT opens up new vulnerabilities. And the very definition of “user” has morphed to include customers, employees, 3rd-party partners, and more.  

It all adds up to a long list of potential threats. “Ransomware, vulnerable IoT devices, DDoS attacks, nation-state attacks, and social engineering/phishing are my central security concerns today,” says David Geer (@geercom), Principal at Geer Communications. “In the future, the more connected our lives become, the more vulnerabilities we will see. New technologies including AI, which we intend to empower cybersecurity, will live in software, where code vulnerabilities and zero-days will only increase.”

We reached out to IT influencers to assess how CIOs and CSOs can get their hands around this jigsaw puzzle of complexities—at the same time they are trying to embrace the digital era. Their answers highlight six considerations to keep in mind when creating a forward-looking strategy for balancing enterprise security, digital transformation, and user access.

1. Cultivate the mindset

Companies need to prioritize security, says Troy Wilkinson (@Troy_Wilkinson), best-selling author on cybersecurity and CEO at Axiom Cyber Solutions. “Our biggest concern is that organizations simply do not take cyber-security seriously and many still operate under the guise that it is an ‘IT problem’,” he says. “Cyber-security should be a real concern from the top down, not the other way around.”

“The same goes for 3-5 years down the road if organizations take the ‘head in the sand’ approach,” he continues. “Hackers continue to have success because organizations continue to fail to apply patches and protect against known threats and vulnerabilities—and [hackers] will [succeed] in the future unless organizations change the way they treat cyber-security.”

2. Update your view of the network perimeter

Where to start first? Recognizing that the network perimeter is dissolving, in large part because of the growing volume and variety of endpoint devices.

“Right now, the biggest info-security challenge we're facing is protecting the confidentiality and integrity of our data as it travels beyond our teams,” says Grant Shirk (@grantshirk), Vice President of Marketing at Vera. “We have to collaborate and share data externally to be effective, but our current perimeter-based security approaches don't address these challenges. Instead of trying to stop possession of sensitive data (which is no longer feasible), we should turn our attention to defending access to information. By making that shift, we can dramatically improve our ability to control our data.”

That shift also requires a new focus on unified endpoint management, says Thomas Willingham (@GotTWilling), Product Marketing Leader and Evangelist. One of the biggest security issues I see today deals with the digital workspaces and enterprise mobility. Ensuring proper security of data and resources as users access their digital workspace across multiple devices and form factors.”

Tobias Buechsenschuetz (@TobBuc), VP of Maastricht Consultancy Day with SCOPE | 3MA, points to IoT in particular. “My biggest concern is staying ahead of the IoT,” he says. “There's an ever-increasing number of connected devices that act as potential points of threat.”

3. Address the human factor

Human error—it’s a real concern. In fact, Christopher Petersen (@CPetersen_CS), IT consultant at Crystallized Software, might argue it should be the #1 concern. “My answer has shifted in the last few weeks,” he says. “The internal human factor is my biggest worry, not in terms of malicious action but in terms of manual information-handling practices. In 3-5 years, I hope to be more worried about APTs and botnets again.”

User education and awareness is key, say others. “No matter how advanced your security systems, employees will always be a potential exploit,” says Nicole Scalese (@nicolescalese), Sr. Manager, Partner Development, at Intermedia. “Teaching all staff to operate with a security mindset should always be one's primary security concern.”

Kevin Jackson (@Kevin_Jackson), Director Cloud Solutions & Technical Fellow at Engility Corporation, concurs. “My biggest security concern now is the ignorance of most users,” he says. “The majority of us do not realize how intertwined our physical and digital lives have become. They don't appreciate the fact that lax digital hygiene will lead to severe real-life repercussions. Repetitive reminders and enforcement of the basics like using complex password and maintaining a healthy skepticism of online sites would lead to tremendous improvements.”

4. Use modern methodologies

Keeping users up to date is important – but at the same time, users are only as strong as the security methodology a company employs, argues Maria Korolov (@MariaKorolov), cybersecurity writer for CSO and editor of Hypergrid Business. “As someone who covers cybersecurity, I'm most concerned about the fact that many companies are still using old-school passwords,” she says. “Eight characters, mix of different types of letters and symbols, no multi-factor authentication. These are the worst passwords.”

“Ideally, everyone should be encouraging users to have 20-characters-or-longer strings of random characters, and use password managers to keep track of them,” she continues. “Some sites actually prevent cutting-and-pasting passwords, or otherwise restrict functionality so that password managers can't work.”

5. Don’t forget the application

Passwords are not the only thing that need attention. “There have been countless data breaches over the years, but this year, it’s safe to say it was the year of the application breach,” says Jessica Marie (@thoughtcosm), Product Marketing Principal at White Hat Security. “Securing code (and applications) is actually our biggest concern now and in the coming years. Appsec needs to be part of an overall vulnerability management program.”

“As we’ve seen with the Equifax breach, this shows us just how catastrophic these kinds of breaches can be,” she continues. “Vulnerabilities like SQL Injection, bad authentication techniques, and unpatched third-party libraries are what cause many problems, but because many in IT security are primarily familiar with network security, applications are not given the attention (or budget) they deserve and require.”

6. Evolve and flex as new technology emerges

Looking ahead, next-gen technology such as quantum computing, AI, and machine learning may be what’s needed to fight the next generation of security threats.

In the long run, Blockchain promises to make a lot of transactions more secure than what we've experienced before, but human error will prevail until AI can fully automate a given process,” says Tobias Buechsenschuetz.

“The near-term challenge (3-5 years) will be the advent of commercially available quantum computing capabilities,” says Kevin Jackson. “This certainty will make all our current security practices virtually obsolete.”

For forward-looking CSOs, that means keeping an open mind to what’s the next technology that will help secure tomorrow’s enterprise.

Click here to learn more about IBM’s security strategies.