Time for a new security paradigm, says ex-military CIO

Security is constantly changing, which means security professionals need to be proactive, says a former US military CIO

Security is constantly changing, which means security professionals need to be proactive, says a former US military CIO.

“They need to look at security from multiple perspectives all the time,” Maria Horton, chief executive of information assurance firm Emesec, told attendees of the (ISC)2 Security Congress 2013 in Chicago.

But, many feel overwhelmed by the security implications and enormous potential pitfalls of moving to mobile and cloud environments, she told Computer Weekly.

“Our society is becoming more dynamic, which means preconceived notions of security practices need to change too,” she said.

Assessing security priorities

According to Horton, information security professionals need to evolve their approach to security to match technological evolution, and give up the old idea of achieving “perfect” security.

“Start by determining the organisation’s risk tolerance and formulate a security strategy accordingly, giving the most protection to what matters most,” she said.

Companies that need to grow would typically have a greater risk tolerance than government agencies, such as the US Department of Veterans Affairs, which is one of Emesec’s largest customers.

Security has more chance of success, said Horton, if it is concentrated on only the most critical information assets rather than trying to protect everything.

The difficulty with a risk-based approach to security, she said, is that many security professionals are unwilling to prioritise out of fear of making the wrong choices.

However, making choices is also necessary to ensure that limited security budgets are well spent on protecting what is really important, said Horton.

Expand the security skills base

In recognition of the rapidly changing technology and threat environments, she said businesses should also change their security recruitment practices to seek out people with multiple skills.

“Non-traditional backgrounds in such things as combating fraud can provide different perspectives,” said Horton.

Security professionals need to start integrating non-traditional skills into their teams if they want to remain relevant to their organisations in future, she said.

Cloud security challenges

Turning to the specific security challenges of cloud computing, Horton said all contracts should include a get-out clause if service providers failed to meet agreed service levels in terms of security.

Before signing up to a service, organisations should also determine how to ensure they are able to migrate to another service provider if necessary and define a clear exit strategy.

“Ask important questions around what happens to data when you leave, about who owns what data, and how intellectual property will be protected,” said Horton.

It is also important to ensure upfront that security strategies are flexible enough to keep up with potential changes, such as a move to another cloud services provider.

There is still no clear security standard for cloud, so organisations must accept that they will essentially need to make one on their own,” said Horton.

Looking to the future, she said that over and above baseline security, organisations should expect to pay for the level of security they want.

In any event, organisations should ensure that enterprise management of cloud service level agreements should be a key part of the overall cloud strategy.

Read more on Cloud security