A Bigger Scope Means A Bigger Mission

Today, I am excited to announce that Drawbridge Networks is officially part of the OPAQ Networks team!

When we started Drawbridge Networks, we had a very clear mission of empowering companies to understand and defend their networks better than attackers. This was not an easy thing to tackle and required thinking outside of the box to create innovative technology that could achieve this goal.

Joining OPAQ Networks expands the scope of what the Drawbridge Networks team set out originally to do. The delivery, scale, and provisioning mechanisms of the OPAQ 360 platform combined with Drawbridge’s unique approach to micro-segmentation make a unified solution extremely powerful.

As security capabilities move off the customer premise, there is a need to enforce controls between different internal network segments. The Drawbridge technology enables this by providing a software-defined overlay capability using endpoint agents that can be managed from the cloud. The integration of this capability into OPAQ’s cloud-based platform enables customers to eliminate complexity and costs associated with the traditional product-centric approach to security without compromising the same local network security assurances that they have previously relied on.

This integrated offering not only creates a ton of value and capability for clients, but will serve as a foundation for what will be extremely powerful security technology going forward – stay tuned!

IT Security Professionals Take a Stand: Why They’re Divorcing Themselves from the Security Product Ball and Chain

Business executives despise security – it’s often viewed as an impediment to growth and innovation – but they know they need it. On the other hand, IT security professionals thrive on security and an ecosystem of roughly 1,500 security product and services vendors that compete in a Zoolander-like fashion show, puckering up and striking poses every few minutes to show off their latest wares.

What organizations really need is a set of security functionality that works together to reduce the attack surface and reduce risk. This has traditionally been delivered through a multitude of products and services cobbled together with duct tape and fishing line, resulting in a massively complex and costly infrastructure. In addition to the massive costs, this approach continues to fuel the need for impossible-to-find security experts who can manage and maintain the infrastructure.

What more and more organizations are now realizing is that, rather than receiving the needed security functionality through an array of products and services, they can instead receive it from the cloud. Security-as-a-service not only frees up time for IT security professionals to focus on more strategic business initiatives, but it also reduces costs for business executives seeking to maximize every dollar invested in security.

As a result, what we’re seeing is an influx of IT security professionals picking up bolt cutters and snapping the chains of their traditionally product-centric approach to security. This shift is supported by a market study conducted by analyst firm 451 Research, where they sought to gain insight into the challenges and opportunities more than 300 US mid-tier companies face with respect to network security.

What’s Wrong with More Security Products and Services?
Nothing. As long as you have the personnel expertise, budget and time to dedicate to testing, procuring, integrating, refreshing and managing them. According to the study, more than 82% of respondents claimed they devote between 20 to 60 hours per week of in-house staff resources procuring, implementing and managing network security. The average mid-market organization invests an average of $461,000 per year on IT security, and nearly 40 percent of the total budget is spent on network security. These businesses also expect to increase spending on network security by an average of 10.9% over the next 12 months.

The reality is most mid-tier organizations lack the resources to keep up with this approach. Cloud, mobile and IoT adoption are only making this challenge more difficult.

Despite significant investment in network security, 63% of the respondents expressed having little to no visibility and control over all their distributed network, especially mobile devices, remote users, IoT devices and third parties.

According to the study, tackling these challenges are typically between 3-5 employees dedicated to IT security. This handful of employees are spending many hours managing the various traditional IT security products and services required to protect the network. Many organizations also rely heavily on contractors and part-time employees, as well as MSSP providers, which adds complexity to daily coordination efforts.

What’s keeping these organizations from advancing? 62% cited legacy IT. Challenges presented by legacy IT and personnel shortages are forcing organizations to look for new solutions to solve the network security and resource conundrums.

Nirvana: Automation and Centralized Security Control – From the Cloud
IT security professionals are increasingly looking to cloud-based services and new technologies to address business requirements and security challenges. In fact, two-thirds of the respondents indicated that they strongly prefer using a cloud-based security solution from a security-as-a-service provider for managing or co-managing their security. More than 70% of the respondents indicated they prefer security-as-a-service over on-premises or MSSPs.

The urgency around this shift is strong. More than 85% of the respondents in the study indicated that network security-as-a-service is “important” (within 12 months) or “critical” (within three months). Branch office enablement and optimization and threat management were cited as the main priorities for a swift shift to a network security-as-a-service solution.

The common thread between business executives and IT security professionals is that network security remains a significant business priority. The shift to security-as-a-service is not only about fleeing a complex and costly problem. It’s also about making a smart, strategic move to a delivery model that is strong and sustainable.

How IT Security Fits into Your Enterprise Risk Management Framework

Have you ever tried to represent cyber security’s place in enterprise risk management graphically? If so, then it has likely been done as a pie chart. The slices of the pie chart contain various components such as your customer’s supply chain, operational risks, fraud and so on. Then for almost all businesses today, one of the slices in that pie becomes cyber security.

However, this pie-based view is a little misleading when it comes to cyber security. So how does cyber security risk affect other components of your client’s business, and what does this mean for your organization?

The Right View of Cyber Security Risk

Cyber risk management is more accurately seen as a Venn diagram where a portion of the pie slices intersect.

Instead of a pie chart, imagine the various assets in your client’s business stacked on top of each other to form a cylinder. The various slices of that cylinder will be factors such as third-party risks, supply chains and data assets. At the center, running through this stack of slices are your client’s core business processes.

Business methods today are almost always aided by digital technology and online communications. This means that rather than being another slice isolated from the others, cyber risk management must be a core functionality within your client’s business. It the core of this “risk tower,” supporting their business processes and running through other sectors of the company.

How Cyber Security Affects Enterprise Risk Management

As the metaphor above implies, cyber security has become a business imperative for every other part of enterprise risk management. For example, when you talk about supply chain risk management, consider what happens if your client’s SCM portal goes offline or the delay in bringing on a new supplier who can’t meet cyber security requirements.

As the client’s MSSP, you need to think about cyber security risk not as its own independent entity, but as part of the many portions of the enterprise risk model. This “Venn diagram” perspective allows you to bring the various portions together to see the effectiveness of your security program on all aspects of your client’s business.

Key Considerations for Cyber Security Risks

In general, there are three key elements of cyber security risks that you should evaluate when considering other components of enterprise risk management. All three must be in balance to help your cyber security program stand successfully.

  • Operation: Your client’s systems need to do what they are supposed to do for the business to run effectively.
  • Compliance: Whether it is FFIEC, HIPAA or other industry-specific buzzwords, your client’s systems need to operate in accordance with all applicable regulations.
  • Security: Your client’s systems need to operate in a safe and secure manner to protect internal and user data.

To use another metaphor, these considerations are like brakes on a car. We need our brakes because we want to drive, not stay parked in the garage, and we know that when we drive, we will eventually have to slow down or make a turn. Those brakes provide us security when driving the car, just as road signs guide us with compliance on the road ahead.

Similarly, balanced regulations and security controls allow businesses to drive ahead. Having these guardrails and keeping them in balance is critical in order to move the business at the pace that your customers need.

Final Thought

Cyber security is not just a slice of enterprise risk management, as it is often represented. Instead, it is a core component of all the elements in the enterprise risk management model. Understanding this fact is key to operating your business and having a successful risk management plan.

Quantitative v. Qualitative Measurements of Risk

While most MSSPs have a surface-level understanding of their customers’ “risk,” rarely do they invest the time to understand the implications. In particular, many organizations have a hard time differentiating between quantitative and qualitative risk, as well as the divergent impacts each can have on various parts of the business.

With that said, what are the distinctions between the two risk measurements, and why do you need to know the difference?

What Is Quantitative Risk?

Quantitative risk analysis involves assigning a defined dollar amount to a particular risk.

For example, if one of your customer’s keeps 500 confidential patient records on a server, you should work with them to conduct a business impact analysis to determine the replacement cost of each record. This would include expenses associated with informing patients of the attack, changing patients’ ID numbers, printing out new health cards and so on.

That said, while you can attempt to estimate the monetary value of the potential risk of an attack on your customer, you can never quantify the total risk due to the repercussions that will extend beyond the immediate effects of recovery and replacement. Business impact analysis can help you establish a floor for the costs of a cyber attack, but the maximum potential costs are likely uncertain.

What Is Qualitative Risk?

In qualitative risk assessments, analysts assign a rating (rather than a dollar amount) based on the severity of a risk, ranging from informational to critical.

Analysts begin first by developing an understanding of the environment based on information they gather internally and/or externally. Then they put that information into context by leveraging analytics on how users interact with the environment. Based on what is uncovered, different businesses could face the same threat but have a different system risk analytics profile.

As a result, it is more challenging to attribute a specific threshold or value in these cases, since labels are typically fluid and poorly defined.

Another important component of qualitative risk to consider is reputational risk – which comes into play in the immediate wake of the attack. By definition, reputational risk has a more lasting “ripple effect” on a business, as it pertains what happens in the aftermath of an event. Reputational damage can come in many forms, including reduced sales potential, lost deals, negatively impacted earnings, as well as eroded investor and consumer confidence.

Final Thought

Many organizations do not have the budget or expertise to handle their IT security needs in-house, so they look to you, managed security service providers (MSSPs) and outside vendors, for help. As an MSSP, you will want to know the contextual knowledge about your clients’ business, such as why the environment is configured a certain way, what dictates the layout or the architecture and how the business is ideally run.

You may be monitoring their environment and addressing their top daily priorities effectively, but without your client’s insight, you will be flying blind. As an MSSP, your organization is charged with overseeing the health of your customers’ IT security ecosystem, and you will require institutional knowledge to help deliver a true assessment as to the qualitative and quantitative risks of any given situation.

Empower your clients with both quantitative and qualitative risk assessments built by the context of their unique business, and revise and revisit that information on a regular basis.

Receiving Security From the Cloud: Why Cloud Maturity is Driving Security Transformation

For well over a decade, the cloud has garnered much hype and attention – and for good reason. For organizations bold enough to leverage it, the cloud has delivered staggering results including faster service delivery, reduced costs and greater agility.

Organizations have matured in their adoption and use of cloud services from email and HR Software-as-a-Service solutions to leveraging Infrastructure-as-a-Service providers to create new solutions and value for customers.

From the day the term cloud computing was coined, security has consistently been cited as a primary concern by organizations when considering moving business functions to the cloud – and it’s not hard to see why.

Utilizing yesterday’s bolt-on security as you implement your cloud strategy is extremely problematic. Not to mention the cloud era has coincided with a litany of other tech trends—Bring Your Own Device (BYOD), Internet of Things, and increasing levels of telework for example—that have made cybersecurity extremely challenging for businesses large and small.

These trends have erased the traditional concept of a security perimeter, causing IT professionals to patch one “leak” in the security dam as six more spring up. It’s an eternal and exhausting struggle, and one that hasn’t had an easy solution.

That is why we’ve formed OPĀQ Networks, which is an important evolution in network security and how security is delivered.

Security Is Still a Human Issue

The companies that can afford to find and retain security talent perform much better than those that can’t. However, the bottom line is that even for the most resource-rich, security-focused companies, there will never be enough security expertise.

There are quality security solutions out there that can provide protection in certain areas, but products are only useful if people have the time, budget and expertise to properly manage them.

Studies show the average large enterprise has anywhere from 3 to 5 network security products. Considerable amounts of time and expertise need to be put into the evaluation and management of a company’s security stack. Not to mention all of the selected products will have patches, updates and licenses that will need to be managed. And after all is said and done, a substantial number of security breaches occur due to poorly implemented policies and improperly implemented security products.

In 1997, I co-founded NetSec and helped pioneer the Managed Security Services Provider (MSSP) business model. We helped many companies with their security by providing outsourced monitoring and management of security devices and systems until I sold the company in 2005. The reality is that, even as the experts, NetSec and many other MSSPs struggled to keep pace with the highly diverse product base and distributed control of our clients’ network and security infrastructure.

Security-as-a Service: Tightening Control, Simplifying Networks

The answer to the human issue is to bring network security into the cloud age. Rather than deploying and managing point security products utilizing distributed and disjoint policy, network security controls should be tightly integrated into the network and managed through a single policy control point. Security from the cloud can be extended to the location, user and device on demand.

This post on the Securosis blog by Mike Rothman does a good job of illustrating compelling use cases for security-as-a-service:

  • Optimized Interconnectivity: You might have 85 stores which need to be interconnected, or possibly 2,000 employees in the field. Or maybe 10 times that. Either way, provisioning a secure network for your entire organization can be highly challenging – not least because mobile employees and smaller sites need robust access and strong security, but fixed routes can negatively impact network latency and performance.
  • Security by Constituency: One interesting extension of the policies above would be to define slightly different policies for certain groups of employees, and automatically enforce the appropriate policies for every employee. Let’s consider a concern about the CFO’s device. You can put her and all the folks with access to sensitive financial data in a special secure network policy group.

At NetSec, we provided the best security possible at the time, but there were technological and physical limitations to what we could offer. And the MSSP model hasn’t dramatically changed. Distributed security products bolted on to a network managed by a separate team results in endless false alarms and incomprehensible policy. The legacy perimeter protection approach was difficult then and near impossible within today’s hybrid cloud environments.

The growth capital OPĀQ Networks announced today will help us accelerate our research and development, operations, and customer growth in the commercial market. This is a tremendous step towards finally tackling the human issue head-on. It’s an issue that has been at the heart of security challenges for decades. And because of the maturity of cloud, now’s the time you’ll see positive disruption in how security is received.