In a rare consensus, 100% of the 167 enterprises I’ve gotten 2024 planning information from as of October 1st say that security is a critical focus for 2024. It’s also interesting that over 95% of these enterprises say that security requirements impact network services, network products, application software, platform software, cloud computing, BYOD, and employee Internet access. In fact, there were a total of 19 different impact areas cited by over half of these enterprises, and it’s hard to see much of anything that’s not represented there.
One thing that all these impact areas has done is fragment security planning and policy. Only 73 of those enterprises said they had a formal “chief security officer”, and only 43 staffed the activity with more than what’s essentially a staff-position leader. In 153 of the enterprises, the CSO reports to the CIO, and in 148 of the enterprises, the head of security (whatever the title) is truly an advisor and doesn’t have an actual budget or procurement authority. Security is most often handled like compliance in the enterprise world.
This may be why so many called the Cisco deal for Splunk a transformational shift. Observability is a mainstream activity, perhaps the only place where enterprise IT and network issues are converging. If security were to be added to the observability mandate, then could that begin to coalesce security products and planning? Vendor friends tell me that their companies see this trend, see it as a possible threat, opportunity, or both, and are preparing a response. They’re not yet confident with their approach, nor are they particularly anxious to be proactive. Most feel that even Cisco’s latest move could be as much a sales tactic as a strategic shift, and most would rather compete in the market as it is than to face a new converged mandate.
According to enterprises, the biggest driver of incremental security spending is the coverage of major breaches. That tends to encourage vendors to offer narrow-scope solutions that tie into a publicized problem, and even companies with a broader strategy admit that their sales approach will always focus on the visible breaches. That point is one reason why Cisco’s competitors want to see what happens with Splunk; it’s very possible Cisco’s sales-driven approach will limit the broad impact the deal could have otherwise.
Even enterprises are impacted by this incident-specific security planning problem. Only 19 of the enterprises were confident they could catalog an overall security plan from a technology perspective. Those who offered one (47) offered goals but no specifics, not even technical principles. What you can’t define cannot be made the basis for an RFP, so even attempts to organize security products into a security model tend to fall apart. What might, stressing the qualifier, be possible is to organize those goals into a framework that could at least suggest an approach.
Enterprises cite three major security issues with near-100% support. The first is “hacking”, which to them means intrusion into their networks to steal information, disrupt operations, or alter data. The second is “malware”, which enterprises classify as the hacking threat embodied in something that’s been planted within the enterprise. The third is “subversion”, which is the same threats, but created by enlisting the aid of someone (an employee, partner, contractor) who has some level of legitimate access.
Hacking is a through-the-network threat that, under our definition, is a third-party intrusion. That means that a primary mechanism for dealing with hacking could be authenticating network access, and this has been a feature of security strategies from the first. When companies hosted their own websites, they usually set them up as a compartmentalized web-specific framework with a specialized security firewall linking them to the rest of their IT assets. However, hackers started looking for software issues that could be exploited (hence the term “exploits”) to gain access through the security barrier, which means that traditional network intrusion barriers can be ineffective.
Malware is a software element that is planted somewhere, and that inherits the trust afforded to other things being run there. Malware is often associated with the contamination of a user device, a laptop, phone, or tablet, and is often planted through a website the user accesses. The malware gains access to the network through the user’s own privileges, and essentially hacks from the inside. It’s also possible that the malware is a “Trojan” that rather than doing complex hacking on its own, loads something else that does. Finally, the malware could simply steal logon information that would then be used by a “hacker” in the more traditional from-the-outside attack.
The final risk, an insider who’s been “turned”, is the most difficult to address. How do you protect yourself against someone who has legitimate access to the information and applications? The answer, in areas where formal national security and clearances are involved, is to monitor what people access or to control what they’re allowed to access very carefully.
I think that point is really at the heart of realistic and holistic security strategies. You must, in order to provide security, have a means of identifying bad behavior, however it comes about. The corollary to that is that you have to be able to identify good behavior, doing the things that a person’s job requires. To me, that should be and should always have been the root of a “zero-trust” notion. In fact, we used to apply that sort of thing routinely when applications all ran in the data center, data was always stored there, and applications themselves were monoliths. The advance of componentization, the use of the cloud, and other modern steps to enhance IT efficiency in boosting worker productivity, have all combined to weaken these early “role-based” access control attempts.
While there are many different ways in which security can be breached in our modern world, there are a small number of remedial actions that are essential to addressing any of those ways. All of them are available, but only a small percentage of enterprises are addressing security with the launch point of recognizing them firmly in their minds. As a result of a tendency to address security based on how publicized breaches are, enterprises put themselves at risk. A strong centralized security policy is rarely considered, and that has to change if we’re ever to get control of security.
