How Your Cybersecurity Strategy Enables Better Business
Historically, cybersecurity has the reputation of getting in the way of doing business. Few people are happy when required to change a password, or when told a proposed new application needs additional safeguards before it can be deployed.
A recent Trend Micro global survey, Risk and Reward, found that 84% of respondents say cyber policies are impacting employees’ ability to do jobs in office; business being slower, difficulty accessing info, and general access to the network were the top three listed complaints. If cybersecurity is going to change that perception, becoming more of a business enabler is not only possible, but critical.
Security the Old Way, and the New Way Ahead
Historically there has been two opposing forces: business needs to be competitive and as nimble and free from constraints as possible, and we need to keep our business up and running and our customers’ data safe.
That simple push-and-pull model isn’t the case today. The biggest change is that the threat is so ever-present, and the consequence of an attack is so great. Ransomware is so ubiquitous and the effects so serious, and almost all attacks involve lateral movement. The second is that our IT environments have incredible complexity. The third is, due that complexity in our IT, our security is necessarily just as complex.
That last factor – complexity – does have an upside. Never before in security have we had more flexibility in design choices in order to make security more flexible. That flexibility means we can have security that is more dynamic, more on-demand or orchestrated, and more automated. Zero Trust Network Access (ZTNA) and Attack Surface Management (ASM) are two clear examples where new cybersecurity strategies can be business enablers.
Zero Trust and ZTNA As an Example of a Cybersecurity Strategy Enabling Business Change
Zero trust is a term too often used and even more often misunderstood. Fortunately, ZTNA is a great example of zero trust architecture principles implemented in reality as well as that modern flexibility.
ZTNA is based upon the VPNs we’re already familiar with. ZTNA though still starting at an endpoint doesn’t end at a VPN concentrator (usually located near the internet edge for the common case of a remote endpoint). Instead this connection is usually dynamic with security logic dictating the best path, and that path goes as close as possible to the server or other agent.
That flexibility allows in most cases for changes in architecture or how the business is conducted without having to seek security approvals. New applications being added? If the changes are within policy, then that change in path or business is invisible as it should ideally be.
From a security perspective, ZTNA radically improves security over legacy VPNs because the connection isn’t merely trusted because it at some point transited a VPN concentrator, is never unencrypted past the internet edge where a VPN concentrator would be, and relies on stronger identities as the credentials travel end-to-end, and should have the trait of posture – posture meaning what is the moment-in-time health of the identities involved, not just are they ‘official’ and not revoked.
Attack Surface Management (ASM) Making It Safer for the Business to Innovate Quickly
ASM is related to zero trust. ASM is a security architectural method that is implemented using zero trust principals. Most buildings have many doors, windows, and hallways. ASM is the IT equivalent of removing as many of those points of access and transit as possible, always having visibility and having an accurate inventory of the things and people.
Well-implemented ASM forces attackers into operating in those few pathways, all of which are well observed, generate rich telemetry, and highly managed in regard to vulnerabilities; all of this also makes not only reconnaissance and initial exploits more difficult but also makes lateral movement more difficult.
Business innovation speed benefits because ASM visibility supports new additions and helps ensure they are patched and monitored. This smaller attack surface is less brittle than previous architectures, which were effectively a house of cards of risk – any changes would have to be so carefully considered and this consideration would always take time.
Conclusion
We started out with the survey result that 84% of respondents say cyber policies are impacting employees’ ability to do jobs. However, In the same March survey by Trend Micro, 52% strongly understand cyber security’s role in driving innovation. This result linking a cybersecurity strategy to innovation is frankly remarkable, and highlights that security is today a key part of enabling business change, and that business unit leaders are looking to cybersecurity as partners. These two survey results give guidance to security, that their decisions have a significant impact on the business, but that these decisions can instead be a business enabler.
Read the full report: Risk and Reward – Reconciling the conflicted views of business leaders on the value of cybersecurity.