SecurityThe right (and wrong) ways to spend your security budget

Executive Summary

According to global IT services provider Dimension Data, nearly half of all enterprise networks will be obsolete within five years, as bring-your-own-device (BYOD), digital video and virtualization eat up capacity and resources. Yet "network security" still has the largest number of searches. The real question in all of this, however, is not whether the network needs to change, but how. This article explores why we can’t just focus on network security the way we have in the past. This article discusses app security, and why protecting user identities and app access may be your top priorities.

Executive Summary

According to global IT services provider Dimension Data, nearly half of all enterprise networks will be obsolete within five years, as bring-your-own-device (BYOD), digital video and virtualization eat up capacity and resources. Yet "network security" still has the largest number of searches. The real question in all of this, however, is not whether the network needs to change, but how. This article explores why we can’t just focus on network security the way we have in the past. This article discusses app security, and why protecting user identities and app access may be your top priorities.

Remember renting VHS videos, wearing Doc Martens, and listening to grunge on the radio? While the 1990s are just a dim memory for most of us, they live on in data centers for many large enterprises. A surprising number of IT organizations are still taking network access logs and parsing like it’s 1999.

Back then, everything lived on servers behind a firewall inside your data center. Software came in a box, and you installed it on racks of machines you owned. You could identify all the clients on the network, so you could control access to apps and data pretty tightly. Your biggest worries were insider threats, accidental data breaches, and the occasional malware train wreck like the Melissa Virus.

Related

Why your security budget may be focused on the wrong threats

5 min. read

Fast-forward to today: Your line-of-business software is sitting on someone else’s servers in the cloud. Your employees and maybe even some of your customers are accessing it via a web browser or a smartphone app. Your endpoints are everywhere, and your worries have shifted from your network to any of the 3.2 billion people on the Internet who might have malicious intent.

The good news is that as threats have increased in number and scale, so have security budgets—companies are investing more in security than ever before. The bad news is that if you don’t invest in the right places, your threat surface may continue to increase. As you ponder your own security investments, consider these four essential truths.

Your worries are now any of 3.2 billion people who might have malicious intent.

1. App breaches are on the rise

Today, an increasing number of breaches happen via apps, yet the majority of IT security budgets are still spent securing the network. The target is now at the application level, which has become the gateway to your data. While no one is saying you should abandon your network security spend, you need to prioritize your budget and make sure the money flows where it will have the greatest impact.

Related

What’s your liability in a hacked world—are you covered?

5 min. read

2. Identity and access control are key

The two most critical areas of security in the digital transformation era are the ability to verify the identity of any user in any location and to protect the application no matter where it resides. In other words, you have to secure both access to the application and the application itself. The network is merely a component of that, not the primary focus.

Related

Keeping your apps secure. You have more options than you think

3 min. read

3. You can’t secure what you don’t understand

Visibility and context are key. You need to know what your apps are doing and if they’re acting the way you expect them to, because the first sign of a breach is often aberrant behavior in your apps. That means you need to be able to decrypt all your traffic and control all the functions and subfunctions for each protocol—HTTP, SSL, and DNS. Without visibility into processes and a contextual understanding of how your apps operate, you’re operating blind.

4. The demand for talent outstrips supply

Corporations’ appetite for better and more functional apps is almost infinite; the supply of experienced app developers is not. Newbie developers, under pressure to produce apps in greater numbers and more quickly than ever before, are far more likely to introduce flaws. Meanwhile, security pros who can flag the flaws and mitigate the damage are also in short supply; current estimates say there are some 200,000 more open cybersecurity positions than there are bodies to fill them. Inexperienced developers coupled with a lack of experienced security pros is a disaster waiting to happen. If staffing is a problem, consider partnering with a service provider offering tools like dynamic application security testing (DAST) that can automate testing to protect against existing or new vulnerabilities.

200,000

Two hundred thousand more open cyber security positions exist than there are bodies to fill them

Bottom line:

If you’re like many companies today, you’re probably spending the majority of your security budget on your network. You may be leaving yourself vulnerable. But there are things you can do. First, make sure you’re focused on app security; protecting user identities and app access are your top priorities. You’ll need to gain visibility into all your traffic, including encrypted data, and establish baselines so you can identify anomalous behavior. Finally, if you don’t have the app security expertise in house, look for a partner who can step in and provide the protection your enterprise requires.

Daniel Tynan is an American journalist, television and radio commentator who specializes in technology, humor, and humorous takes on technology. A contributing editor for PC World, InfoWorld.com, and Family Circle magazine, and tends the Robert X. Cringely blog “Notes From the Field” for InfoWorld. His work has appeared in more than 50 publications, including Newsweek, Family Circle, Popular Science, Wired, and Playboy.com. He has appeared on CNN, CBS, NPR, Discovery, and Fox News, as well as dozens of regional television and radio programs.

You Might Also Like

Business Strategy · 5 min. read

Why moving to the cloud may not save as much as you think

If one of your motivations for moving to the cloud is to save on CapEx, be prepared to measure upward pressures on your OpEx. Here are the metrics to measure.

Business Strategy · 5 min. read

The ROI of moving to the cloud: Have you balanced your cloud checkbook?

There’s potentially a gulf of pain between using cloud services and successfully using cloud services. How will you know if you’re being successful? You need the metrics that match your priorities: agility, TCO, reach and productivity.