On Thursday, March 17, Peter Tsai, the head of technology insights at Spiceworks Ziff Davis (SWZD), spoke with Derek Brink, VP and research fellow of information security at Aberdeen Strategy & Research, on what an organizations’ security strategy looks like today. During their 27-minute chat, the duo discussed recent developments and factors influencing the cybersecurity purchase decisions of organizations.
According to Brink, zero trust is one of the cybersecurity topics receiving widespread attention. In fact, it is one of the top five funded security initiatives of 90% of respondents in one of Aberdeen’s surveys.
Brink pointed out that the concept of zero trust isn’t new. However, as technology advanced, the line between â€˜inside and outside’ has blurred over the years. â€œDeep perimeterization and the idea that there is no longer really any difference between inside and outside the corporation. The corporation is everywhere. The idea that there is no firm inside versus outside is definitely, I think, a big driver for interest in zero trust.â€ Zero trust â€œmade the cutâ€ for budget allocation and prioritization among some of the other top projects.
Now that priorities have changed, what steps can businesses take or use to help protect their data? Brink says the security space is strewn with over 3,000 vendors/solution providers, each or multiple vendors serving a different security category. He counted up to 120 categories before losing track.
â€œIt’s great,â€ he says, â€œit speaks to the importance of the problem and there’s constant innovation. With respect to protecting data, there are only eight basic strategies. Eight basic strategies out of all solutions to safeguard our data.â€
#1 Security Strategy: Do Nothing
â€œThe first one is the default strategy, that is to do nothing,â€ says Brink. â€œ People might say â€˜wait a minute, that’s not really a strategy,’ but it is. If you classify your data and take a risk-based approach, and you say, this data is worth protecting, and this isn’t, then some of the data you don’t have to protect at all.â€
#2 Security Strategy: Backup and Recovery
â€œYou need to back it [data] up, especially with ransomware being so prevalent. The ability to backup and recover is a critical part of [organizational security], it always has been but it’s even more highlighted now, because of current exploits that are happening.â€
Ivanti discovered that ransomware was the fastest-growing attack vector in 2020 and 2021, surging by 291% and 29% year-over-year, respectively. And while ransomware is the most popular attack vector, it is by no means the only one to have risen in the past couple of years.
#3 Security Strategy: Access Control
Brink says access control, i.e., allowing only users with the right permissions, is the way to go. Additionally, all of these users need to be authenticated.
For seamless access that allows permissibility and authentication, Brink recommends a centralized repository such as a database and content management system enabling file sharing.
#4 Security Strategy: Data Monitoring and Filtering
This includes monitoring and filtering email, web, database activity, data loss prevention software, etc. â€œWhat you’d be looking for is keywords and things that would be flagged: hey this data shouldn’t be where it is’.â€
Brink called data monitoring and filtering â€œone of the most controversialâ€ strategies, probably because of the sensitivity of the data, user interactions, and user activity.
#5 Security Strategy: Data Encryption
Encryption, i.e., making valuable corporate data unreadable for unauthorized users, can be done in the backend, is transit or in use, at the endpoints, other hardware and removable devices, etc.
This is important because the current corporate landscape includes networks, hybrid cloud and on-premise environments, and a distributed workforce. Encryption also ensures confidentiality and data integrity, a hallmark of information security. Encryption can be achieved with either symmetric or asymmetric methods.
#6 Security Strategy: Tokenization
â€œSubstitute non-data for data,â€ Brink said. Tokenization is the practice of changing meaningful data, such as account details, into random strings of characters known as tokens with no meaningful value.Â
So in case a breach occurs, and data is compromised, it serves no real value to the attackers. Tokens serve as a reference to the original data but cannot be used to guess those values. Tokenization is different from encryption in that it leverages mathematical algorithms to shield the data, whereas tokens represent the obfuscated original data.
Tokens are undecipherable unless the relationship with the original data is retrieved and accessed from a secure database when needed.
#7 Security Strategy: Rights Management
This refers to the various rights that govern what users can do or perform different actions on the data. This is among the least deployed strategies, Brink noted.
He said, â€œNo matter where the data flows around, you have controls that kind of flow with it, and you can still have control over that data in terms of what can be done with it. Can you copy it, delete it, play it, forward it, those kinds of things.â€
#8 Security Strategy: Delete It
More data, especially whose purpose is served and has become unnecessary, can create more compliance issues. Organizations should not keep data for longer than necessary.Â
â€œWhen we no longer have the need for the data we collected, and you know, we are required [by] compliance regulations to get rid of it for privacy reasons.â€ Moreover, organizations may be legally obligated to delete data.
Brink, a certified information systems security professional or CISSP, adds that there’s no one magic trick to secure organizations. â€œI know some people want to attend a talk like this and hear, â€˜here’s the next shiny to,’ but it’s not like that. I think in general, there’s basic approaches and then there’s always a new and novel way because of this innovation that’s constantly going on and on.â€
The overall security posture depends on a cohesive approach that involves these eight strategies and any new ones that may emerge in the future. â€œMost companies have a mix of these strategies, and some may even have all of them,â€ Brink said.
Brink and Aberdeen’s assessment revealed that implementation of
- Backup and recovery is â€œhighâ€
- Central repository and relevant access control is â€œvery very prevalentâ€
- Encryption is â€œmore and more commonâ€
- Tokenization, data masking and substitution, rights management are â€œless commonâ€
- Retention/deletion policies on how long to keep the data â€œshould be higherâ€ than what organizations currently have
Who is Impacted the Most?
â€œThe industries that are the most impacted tend to be the ones that have high value data, highly regulated industries cause regulations tend to follow where data is valuable,â€ Brink said.
He listed financial and healthcare sectors before pointing out the prevalence of data in all industries. â€œThe rain falls on everyone and security issues really affect everyone.â€ Brink suggests the importance of critical infrastructure, any disruption to which can impact supply chains.
â€œAny vulnerabilities that we have, haven’t just dropped since the military conflict started. They were always there. It’s just that now we are more aware that the potential for them to be exploited is perhaps higher.â€
In regards to organizations’ cybersecurity preparedness, Brink said organizations outsourcing their security tasks are leaning on third-party vendors and managed security service providers due to the lack of in-house expertise. Presently, two-thirds of respondents of (ISC) Â²’s Cybersecurity Workforce StudyOpens a new window 2021 said they face workforce shortages.
This is despite the influx of 700,000 professionals into the cybersecurity workforce. The global demand for cybersecurity professionals continues to outpace supply.