The complexity of today’s enterprise infrastructure environment has created demand for a great variety of dedicated point security solutions, triggering a disconcerting array of alarms and alerts that most organizations struggle to address with current access to talent and staff. While implementing effective strategies that harness automation and security technology remain critical, the most successful organizations tackle complex security challenges by involving different organizational disciplines in the risk-management problem statement.
These were among the conclusions of a CIO.com virtual roundtable that featured over a dozen enterprise technology executives from the financial services, manufacturing, healthcare, transportation, and logistics sectors.
When it comes to addressing enterprise technology complexity, organizations appear resigned to the fact that they must prepare their organization to protect and defend assets scattered across on-prem and a variety of cloud resources for the foreseeable future. That said, many of the participants pointed out the need to develop a common enterprise-wide “cloud-native” approach to managing and securing their heterogeneous environments. It represents the latest evidence of a break with the conventional wisdom of the recent past, in which technology modernization was closely — if not exclusively — correlated with cloud migration.
Several participants pointed out that if workloads are to remain on-premises, they cannot continue to exist in a “naked legacy state” indefinitely. These assets must either be: 1) “modernized” to platforms that enable secure integration across the enterprise-wide data and application fabric; or 2) cocooned and then connected to the rest of the “cloud-native” hybrid infrastructure with APIs and/or containerized microservices.
Roundtable participants reported that the talent challenge and skills gap continues to challenge CISOs and CIOs alike. One way to address this issue is to broaden corporate participation in security initiatives by getting other corporate disciplines — finance, operations, IT, etc. — involved in the risk management process.
This objective can be accomplished by inviting broader segments of the corporate community to security tabletop exercises. Several pointed out how well-attended sessions held regularly throughout the year can bring joint clarity to risk and security factors. These exercises help organizations hone their resilience strategies while providing a constructive basis for discussing priorities and defining what their minimal viable business (MVB) looks like.
Involving multi-disciplinary teams in tabletop security events offers a terrific opportunity to assess what assets exist where while shining a joint, multi-perspective light on the data and applications that are most critical to the business. This makes it possible for security and risk management teams to better focus limited technical, financial, and human resources on the assets that matter most.
It was interesting to see how low-tech these exercises can be. As one executive described it: “We meet in virtual sessions periodically and play out the consequences of bringing resources down across the organization. Participating executives work together to develop their responses. It exposes technical and business process dependencies in a low-stress environment that comes in handy when a real-world incident occurs.”
The exercises also give all team members a front-row seat on what bad actors are up to. Combining outside-in (through attack surface management assessments) and inside-out (critical vulnerability assessments) analysis goes a long way toward establishing an enterprise-wide understanding of the real-world risks to which modern hybrid, multi-cloud infrastructures are exposed.
To learn more about CIO events, go to https://www.cio.com/events/.