Sergey Nivens - Fotolia

World’s biggest companies lack maturity in security, says IBM Security

Many big organisations are still grappling with the challenge of establishing a more cohesive and collective security strategy, says IBM Security

The biggest companies in the world are still “highly immature” in key information security domains, according to Marc van Zadelhoff, general manager, IBM Security.

“It amazes me every day that large companies still lack maturity in network, endpoint, mobile, application and data security, identity and access management, fraud protection and security intelligence,” he told Computer Weekly on a visit to London.

“Some of the largest institutions in the UK still use spreadsheets for identity management and have logging capabilities only in the security operations centres (SOCs), which shows many companies are grappling with the challenge of trying to get to a more cohesive and collective destination in security, away from the fragmentation that resulted from focussing on traditional technologies like antivirus and firewalls,” said Van Zadelhoff.

There is also a lack of maturity in modern technology in these domains and in thinking across these domains, he said, which is what IBM Security is seeking to address through interoperable security technologies in each of these areas, centred around security intelligence and analytics to enable a “platform of capability” to function as an “immune system” for information security.

“Many companies still don’t understand that the destination is not within a domain, but across the domains so that identity and access systems communicate with the SOC, for example, and that network devices have the information they need from other security systems to block particular exploits,” said Van Zadelhoff.

While he admits security is always going to be about people, process and technology, he claims that from a technology perspective, providing a platform of capability is proving to be an effective way of tackling modern cyber security challenges that are no longer being addressed by traditional approaches.

Read more about security analytics

“If you are able to detect fraud on an endpoint – which is what our Trusteer technology is doing – and you can inform your authentication technology on the perimeter of the bank that a customer is infected with malware so that the transaction is blocked, that is where you start to make a big difference,” said Van Zadelhoff.

“When your identity technology is reporting that your most privileged user in your analytics platform is doing transactions in a pattern that has never been seen before, that’s where magic starts to happen between the domains,” he said.

The importance of security analytics

According to IBM Security, large companies typically have an average of 135 security tools from 30 to 40 different suppliers.

“Given this scenario, companies are not advanced in the various security domains and they are not seeing the relationships between those domains, and consequently, they can’t block vulnerable apps because application security and network security have no links,” said Van Zadelhoff.

He said that, in contrast, the most advanced organisations are building a platform of capability using technologies from a variety of suppliers, and IBM Security is helping them to bring it all together to make sense of it.

Read more about EU data protection legislation

“These relationships can make a huge impact, and I believe that should be the technical destination for all companies seeking to improve their security capabilities,” said Van Zadelhoff.

Although IBM Security has a leading position in 14 segments of the information security market, according to Gartner, security analytics is making the biggest impact in customer organisations.

“Customers that are going to a more forward footing on analytics, I believe are making the best investment in terms of security technology,” said Van Zadelhoff.

The impact of EU and US regulation

Asked whether the EU General Data Protection Regulation (GDPR) – which is expected to come into force as early as spring 2018 – is driving security transformation projects in European companies, he said it had yet to make any noticeable impact.

“US companies are energetically pursuing security transformation project in response to things like the NIST security framework – but we are not seeing similar activity in Europe in response to the GDPR and other regulatory changes related to data security.

“In Europe, budgets are still tighter – while, in the US, budgets have loosened faster and people are really trying to respond quickly to regulatory changes by reviewing and updating their approach to security and security architectures,” he said.

Although there is a lot happening in the UK and the rest of Europe, Van Zadelhoff said that, so far, US regulations appear to be pushing companies forward “harder and faster”.

Read more on Privacy and data protection