THE SECRET CODES OF SECURITY

10

If you want to see how a lion hunts, you don’t go to the zoo. You go to the jungle. This is why we went exploring: friends of friends. In their comfort zones.

No scripts. No transactions.

We wanted to get into the hearts and minds of IT, so we had conversations rather than interviews. But naturally, we dug into one of the most critical topics in IT today: security.

4 WEEKS. 5 STATES. 9 CITIES. 20 SENIOR IT DECISION MAKERS.

12 TO 35 YEARS’ EXPERIENCE.

A RANGE OF INDUSTRIES, INCLUDING F INANCE, PHARMA, MANUFACTURING, JOURNALISM, EDUCATION, TECHNOLOGY, HOSPITALITY, TELECOM, ENTERTAINMENT AND REAL ESTATE.

GLOBAL AND DOMESTIC COMPANIES, FROM 50 TO 90,000 EMPLOYEES.

THROUGH 2016, 75% OF CISOS WHO EXPERIENCE PUBLICLY DISCLOSED SECURITY BREACHES AND LACK DOCUMENTED, TESTED RESPONSE PLANS WILL BE FIRED.– Gartner

‘‘

”

And if the people at the top are worried about security, you better believe all the people involved in enterprise IT decisions are feeling the pressure. Among almost everyone we interviewed, security came up as the most common work-related nightmare. It is clearly on their minds on a daily basis.

But what exactly are they worrying about, and why?Let’s look at 10 human truths about IT pros’ approach to dealing with security.

Almost every IT solution is a security risk to some extent, which can lead to some pretty paranoid IT pros. The level of comfort and confidence in current security measures and models is generally low.

THEY ARE INSECURE ABOUT SECURITY

I

MY COMPANY CONSTANTLY SAYS SECUR ITY IS THEIR #1 PRIORITY WITH IT. THEY TALK THE TALK. BUT THEY DON’T ACTUALLY DO ENOUGH. IT’S SECURITY THROUGH OBSCURITY.— Tony , Automation Services Consultant for a large bank

‘‘

”

“I mean, my systems are secure because I’m not a dummy and I like to sleep at night. But I can’t say that for most of my company .” — Mike, Senior IT Manager at a large telecom company

96% of successful attacks on enterprise security in 2012 were not highly difficult — everyone is truly at risk.> Verizon 2013 Data Breach report

The average cost per record of a data breach in 2011 was $222. The average company with a data breach that year lost $5.5 million.

> ponemon institute state of WeB application security

THEY ARE INSECURE ABOUT SECURITY

NO ONE HAS IT FIGURED OUTIT pros stressing about the holes in their systems assume that their problems are the worst, when in reality, their peers in other companies and industries are up against similar threats and complications.

2

“Security becomes more and more challenging as IT is shif ting to the cloud and mobile devices. Consumerization of IT caught traditional corporate IT infrastructure totally unprepared. Even the best of us are still trying to catch up.”

— Nico, Senior IT Project Manager at a large global manufacturing company

YOU’VE GOT TO BE KIDDING ME — THAT BANK DOESN’T HAVE PERSONAL DEVICE SECURITY FIGURED OUT YET? I THOUGHT WE WERE SO FAR BEHIND THE INDUSTRY.— Jonathan, Global Head of Data Transformation at a large finance company

75% of attacks are opportunistic — not targeted at a specific individual or company.> Verizon 2013 Data Breach surVey

86% of all websites had at least one serious vulnerability.> Whitehat 2013 WeBsite security statistics report

‘‘

”

NO ONE HAS IT FIGURED OUT

RELIEF IS BRIEF

When it comes to security, there is never a moment when it’s all under control. The thousands of solutions and options can’t be implemented as fast as the potential risks evolve. Any sense of security an IT pro might feel is likely to be short lived.

3

“No one is ever 100% protected. You should never feel safe, or you’re not being diligent.” — Jonathan, Global Head of Data Transformation at a large finance company

IF YOU THINK YOU’RE PROTECTED, YOU’RE DOING IT WRONG. — Mike, Senior IT Manager at a large telecom company

66% of the breaches took months or even years to discover.> Verizon 2013 Data Breach report

“34% of urgent vulnerabilities are not fixed.” > ponemon institute, state of WeB application security

There are an average of 70,000 new threats per day.> KaspersKy laB

‘‘

”

If something goes wrong, it’s a crisis management problem — not a security problem. The best security experts approach it as a proactive matter.

4 THE GOAL IS PREVENTION,NOT REACTION

“Security is all about non–issues.” – Pat, VP, IT Manager at a large technology company

IN 201 1, 97% OF SECURITY BREACHES COULD HAVE BEEN AVOIDED THROUGH SIMPLE OR INTERMEDIATE CONTROLS.– Verizon 2012 Data Breach Report

“We have a company–wide policy to treat all of our systems as if they have already been compromised at all times.” — Will, SaaS Consultant for a large technology solutions company

SECURITY IS MISSION CRITICAL

Finance and healthcare have the most serious legal ramifications when it comes to IT security. At the same time, companies in every industry, big and small, are striving to implement the security measures needed to protect data.

5

1 in 5 Americans would stop doing business with a bank or credit card company after a security breach.

94% of healthcare organizations have been breached.

I WENT FROM WORKING IN ENTERTAINMENT WHERE I COULD SORT OF JUST ASSURE PEOPLE THE SOLUTION I WANTED TO DO WAS SAFE, TO WORKING IN FINANCE WHERE I HAD TO PROVE IT TO 15 PEOPLE BEFORE IT WAS EVEN CONSIDERED. — Waseem, Consultant and System Administrator for a small investment company

Security breaches cost healthcare organizations $2.4M over 2 years as the healthcare sector is among the most vulnerable to hacking and cyberattacks.

>hit consultant

14 % of data breaches were in the financial sector and 255,396,710 records were exposed by the breaches.

>priVacy rights clearinghouse

‘‘

”

SECURITY JOB SECURITY

It is shaping the future of IT as a discipline. Job titles, internal organization and business practices are evolving to include internal and third–party security experts, groups and processes.

6=

SECURITY IN IT IS JOB SECURITY FOR IT. — Waseem, Consultant and System Administrator for a small investment company

“IT is a massively growing field. And security is the fastest growing area within that fastest growing area.” — Danny, VP, System Designer at a large pharma company

Two-thirds of security leaders expect spending on information security to rise over the next 2 years.

Of those 90% anticipate double-digit growth. One in ten expects increases of 50% or more.

> iBm ciso stuDy

‘‘

”

HACKERS ARE A PRO’S BEST FRIEND

As security becomes more central to all IT decision making, the number of specialists will grow along with options for education and training for that specific skill set. These experts will be unafraid to breach, bend and break tech solutions to ensure they are secure.

7

“Hiring professional hackers to try to break into our systems and identify the holes has been the most powerful way to convince management to pay for security projects!” — Nico, Senior IT Project Manager at a large global manufacturing company

I ASK FOR A TRIAL AND THEN I TRY TO BREAK IT. I SPEND DAYS OR WEEKS LOOKING THROUGH THE SOURCE CODE, PLAYING WITH THE SETTINGS, GETTING ALL MY MOST BRILLIANT CODER FRIENDS TO TRY TO BEAT THE SYSTEM AND BREAK IN. THE BEST SECURITY SPECIALISTS ARE HACKERS AT HEART. — Waseem, Consultant and System Administrator for a small investment company 

Did You Know?

If the organization has a CISO with overall responsibility for enterprise data protection, the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response can also save as much as $41per record.

‘‘

”

THERE IS NO QUICK FIX

As companies strive to get a handle on security, many are quickly realizing that doing it well means rethinking the entire IT security model. It’s not as simple as adding another layer; they often find themselves rewriting the rules on data access altogether.

8

“There is NO reason for me to ever see client –

identifying data. But right now, I could.”

— Jonathan, Global Head of Data Transformation at a large finance company

“Crunchy on the outside. Soft and

chewy in the center.” — Danny, VP, System Designer at a large pharma company

A NEW MODEL FOR COMPANY SECUR ITY

THE MOAT MODEL

the old way the new way

THE ONION MODEL

roam free

completelockdownc-suite

contractors+ vendors

SECURE SOLUTIONS VS. SECURITY SOLUTIONS

Enterprises are trying to strike the right balance between tools they trust and tools built specifically to further secure existing systems. As a result, no matter what the IT solution might be, security is a factor in the decision–making process.

9

THERE IS THIS PARKING LOT THAT HAS ROUGHLY 50 STOP SIGNS IN IT. IF THERE WERE 10–20 WE’D PROBABLY STOP AT ALL OF THEM. INSTEAD, BY HAVING SO MANY, WE ARE ALL TEMPTED TO SKIP THEM ALL. THERE’S A TIPPING POINT WITH SECURITY SOLUTIONS. — Will, SaaS Consultant for a large technology solutions company 

“Security should be a part of any architected solution.” — Mike, Senior IT Manager at a large telecom company

‘‘

”

RESISTANCE IS REALITY

Security measures are seen as an impedance, not an enabler. Everyone feels the pain of extra passwords and multiple logins on productivity, so change is slow to happen, especially when it comes to things like BYOD.

10

“Like anything else IT-related, the best course of action is to induce change by making users’ lives easier. Users are unlikely to prioritize a system’s security over their lives’ simplicity.” — Will, SaaS Consultant for a large technology solutions company

HACKERS AREN’T SECURITY’S BIGGEST ENEMY. USERS ARE. — Bob, Full–time IT Consultant for a class–action services company

In 2011, negligence accounted for 39% of data breach, slightly more than the 37% that came from malicious attacks.

> ponemon institute state of WeB application security

The most common password used by global businesses is “Password1” because it satisfies the default MS Active Directory complexity setting.

> 2012 trustWaVe gloBal security report

‘‘

”

NOW GO DO THIS

1 EMBRACE THE COMPLEXITY Don’t overpromise or pretend to have the silver bullet. Ignoring the complications and speed of change means not understanding it.

2 OFFER A COMMON GROUND Unite ITDMs in the sense of security that comes with knowing everyone is dealing with these threats and no one has solved them.

3 ACKNOWLEDGE THE LAYERS Talk about security as the ecosystem it is. Each business needs to find the layers and tools that are right for them.

4 HELP THEM SPREAD THE WORD It can be difficult for ITDMs to sell solutions to their colleagues. Arm them with ways to talk about and show security solutions as a positive addition to the organization.

5 GET PERSONAL Don’t just tell them what the solution can do for their business, make it about what it can do for them. ITDMs are yearning for glory and respect. 6 BE A SOURCE OF COMFORT AND SUPPORT With all the complexities of security, ITDMs can’t go it alone. Be the partner they can turn to through thick and thin.