Please share your comments; critics make life meaningful!

Wednesday, August 30, 2017

Information Security enabling Digital Transformation

The domains and practices of Information Security (IS) have certainly matured over the last two decades of their formal existence. ISO 27001/2 instituted in 2005, and revised in 2013, and prior to that BS 7799 published in 1995 date the domain very clearly. However, maturity in the practice of IS has accelerated only in the last decade during which we have witnessed broad acceptance of security as a key pillar of Information Technology (IT). But its only in the last few years that IS has become accepted as a core business concern and cyber risks have risen to become one of the top three risks for business around the world. This period also coincides with the biggest data breaches across business sectors, and the largest global malware attacks of all times. So, it may be assumed that IS has come to prominence due to the visibility created by such large attacks and breaches, but I'd  argue that there was no stopping in the evolution of IS as a key business consideration even without such breaches and attacks. In the last few decades, IS has grown from being mainly a compliance driven function to a key business requirement primarily due the the increasing reliance of modern business on computing, data, and digitization. This digital transformation era has brought to the fore IS risks as significant and sometimes critical risks to the enterprise, and the breaches and attacks we are witnessing are only the manifestation of some these risks into reality.

Security practices have also evolved in these few decades from mostly compliance mandates to more design, engineering, and architecture considerations, and risk management measures. The IS standards and frameworks have for a long time been a broad set of flat controls to be complied with uniformly across the enterprise with a focus on protection. The in recent times, they have evolved to be multi-tiered and risk based with a cyclic paradigm. The NIST Cybersecurity framework in particular covers the entire gamut of security functions - Identify, Protect, Detect, Response, and Recover. Policies and processes have evolved from single layered to multi-layered, independent to inter-dependent, and largely manual to mostly automated.

Security practitioners have evolved from infrastructure specialists with compliance focus to risk managers and business enablers. Security technology companies have also evolved from boutique security firms  such as Symantec to global multinational technology providers who build security into their broader technology solutions meant to support core business, productivity and digital transformation - such as Microsoft. Security technologies have evolved from point security tools with little and tedious integration focusing on the network layer to multi-function solutions designed to be inter-operable, and work as one fabric. For example, the Enterprise Mobility Suite (EMS) from Microsoft provides comprehensive identity, device, and data management/security capabilities while also being designed to work seamlessly with the Microsoft Office 365 and Windows 10 platforms. Security solutions have become integrated and embedded into technology infrastructure fabric; for example Windows 10 comes pre-built with Anti Virus, SPAM protection, Device protection, Credential protection, Advanced threat protection etc.

Security managers, CISOs, infrastructure leaders, architects, CIOs and busienss leaders would need to get involved and examine closely how security should be managed within enterprises in the cloud and mobility era so that they get it right the first time, and procure integrated, scalable, and complementary solutions which complement productivity, provide a secure operating ecosystem to accelerate digital transformation, and enable technology consolidation, and cost containment.