With the evolving technology landscapes that modern businesses are built upon, ensuring the availability of your systems has become a critical part of all operations.
It is not always possible to prevent a breach from occurring but it is possible to ensure there are processes in place to mitigate any risks once an attacker has broken through the first line of defence.
Facilitating the protection of the highest value assets is a good starting point and this is possible through separating and securing the environments with policy rules. This sounds hard and complicated – the old techniques you have used previously may not work so well in this new dynamic world of cloud and DevOps.
The BTN was delighted to partner with Illumio, the micro-segmentation leader for Zero Trust, for a VIP virtual roundtable for senior Technology & Security executives to have an interactive discussion around the growing role of segmentation.
The issue of security needs elevating to a social issue, rather than a ‘business fine’ issue.
The discussion started with the group looking at how the role of the CIO and the CISO must become more aligned and less at loggerheads. There was a wider consensus around the notion that a CIO can’t be successful if they have no internet in security and a CISO can’t be successful with no interest in the application portfolio.
Security’s role within business has regularly been considered one of an afterthought rather than at the forefront of strategic planning. This conversation was brought to the forefront of the session due to the scale of the Solar Winds supply chain attack, whereby it brought President Joe Biden to even discuss the topic at a recent talk, bringing a non-tech user to talk about security issues at the highest level.
The reputational impact and the minimising of business disruption can be similar drivers for embedding security. Losing records is one thing but operation downtimes for 1 day will have dramatic impacts on businesses whereby the ‘cost’ of the breach doesn’t just become the fine but the repetitional damage that can’t be quantified.
The group agreed that as security leaders, we must be talking to the business to improve security posture and when a business starts on their security solution journey, we must be protecting everything as far as we can, rather than focusing on a siloed area.
If investing in a security product/solution, you have to define the security product and how you are going to specifically protect the business with the product. How is it possible to move the conversation away from ‘super shiny tech’ to “here is our current position to where we’ll be in 3 years and onwards to a future position in 5 years”.
The risk needs to be up to speed with the pace of change.
Stop treating your infrastructure like a pet
Across the board, it was agreed that it’s so easy to start small in the cloud and to get started but so few organisations actually scale with ease. If you’re trying to ‘lift and shift’, then you are going to take some of the problems with you. Therefore, try to make everything more agile, it is key to align cost reductions and increased performance.
Create cost efficiencies by treating your infrastructure less like pets and more like cattle. Move away from patching & ‘feeding’ your infrastructure and move to a model where you constantly deliver on new changes and stop relying on existing patch cycles.
How can we enable our businesses to move quicker with evolving changes? Can the role of DevSecOps be the solution? All technology comes in different guises, so it is essential to ensure your security can keep up to speed with the evolving digital transformation of your business.
Manage the culture change alongside the technology change
The number 1 issue from IT is that they don’t have the ability to deliver quick enough, at scale, with the highest quality. Moving away from how operations were done historically to how to do operations in the future is where a culture shock occurs within IT.
The culture change needs to showcase the end state. Communicate what is going to be delivered in 6 months, then 12 months etc and improve the value in each iteration. Manage stakeholder expectations to manage small change now and with the rest coming later.
With your employees, the technology focus must have a process that runs alongside it. Even with simple security changes such as moving away from passwords to pass phases, the journey and the narrative need to be communicated with the end goal in sight.
The role of security within organisations is ever-changing and it is key to bring the organisation with you - becoming the department of 'yes' instead of 'no'. Zero Trust and Micro Segmentation solutions are not a plug and play but more of a mindset change that is complimented by technology advancements.
Aspiring for environments where everything and anything can be segmented is where organisations need to be focused.
The benefits of Micro Segmentation can be truly showcased when everyone on board is aware it doesn’t solve 1 singular thing and is far more broad-reaching than just a security or a network product.
To learn more about Zero Trust Segmentation please visit https://www.illumio.com/solutions/zero-trust
Illumio enables organizations to realize a future without high-profile breaches by providing visibility, segmentation, and control of all network communications across any data center or cloud. Founded in 2013, the world’s largest enterprises, including Morgan Stanley, BNP Paribas, Salesforce, and Oracle NetSuite, trust Illumio to reduce cyber risk.