Tuesday, January 24, 2012

What are the main challenged in enterprise security?

Talking to a senior partner at one of the big four professional services firms, I was pointed out that a weblog that is not getting updated, is better to be let go.
There was actually a good advice in there, and made me think of a series of daily short notes that I was taking during preparation for job hunting in the area of enterprise security and risk:

In the last two months of studying and preparations, I looked at very diverse changes happening in the security area. If I was asked in a job interview "what are going to be main challenges in enterprise security"? I would say business models and enterprises are changing fast, the main change drivers are mobility, cloud computing, and social networking. I will get back to those, but before that, I need to mention organizations are not the only group changing. Attackers are getting seriously sophisticated (examples: Anonymous hacking group, LilzSec, etc.) They are organized, goal-oriented, and not only opportunistic, but actually have exact plans and targets.

Those big changes I listed above are business enablers, can help security, or can open the doors of organizations to critical risks. The use of portable devices and mobiles, outside the traditional enterprise network perimeter is now a norm. Mobile applications have not yet face huge security breaches, while what I have understood is already mobile devices are less secure (no physical security, no secure data storage, to malware protection, poor keyboard and thus shorter passwords showing up again, lack of multi-user on each device, and easier phishing on mobile browsing). Web 2.0 applications and social networking is now part of many firms' daily routines. Many enterprises have not actually thought about the security implications and threats of their employees chit chatting on Facebook and updating work-related statuses. Cloud computing is exciting, promising, and is going to help firms bounce services and computations on someone else's machines, but have organizations thoroughly analyzed who is going to guarantee the confidentiality and integrity of data and computations they bounce off on the cloud?

Seems a DMZ and nicely configured firewalls are not enough anymore. What I understood, out there in the wild, Data Loss Prevention products, Security Event and Information Management tools and Identity Management Solutions are the hot hot areas of investment, beyond what is already being spent on traditional network security. I think to the must-to-have list, we need to add: training and awareness, policy development, enforcement, management, and compliance, and well as routine vulnerability assessment, penetration testing, and risk assessment.

No comments: