Cybersecurity and business goals
In security, many times, we get stuck in the weeds — we think about solving urgent problems in creative, but often, tactical ways instead of strategically addressing the underlying challenges. At RSA Conference 2017, we were reminded of the goal we are aiming to achieve — to reduce business risk. The risk is chaos — whose “ripple effects propagate more quickly and with more devastating consequences.”
In the keynote, RSA CTO Dr. Zulfikar Ramzan implored the audience to think about security as a business issue. Organizations “must adopt a business-driven security strategy — because security isn’t just a technology problem; it’s a business problem.” According to Dr. Ramzan, without Business-Driven Security, we fall into the “Gap of Grief” — where business and security leaders are not aligned. He offered three suggestions to “enable security leaders to draw connections between cybersecurity and business goals” and “between the technical details of a security incident and the corresponding business impact.”
- Treat risk as a science not a dark art
- Simplify what you control
- Plan for the chaos you can’t control
For Citrix, security is all about the secure delivery of apps and data — reducing business risk with enhanced IT and security operations. The Ponemon surveys confirm the need for a new security framework and our CTO Christian Reilly challenges us to “be bold, embrace the future, and take necessary steps to build security into your business strategy.”
Be bold, embrace the future, and take necessary steps to build security into your business strategy. — Christian Reilly, Citrix CTO
Among the initiatives our customers are pursuing are:
- Secured Access – providing employees and third parties with secured access to sensitive business information
- Secured Mobility – providing access to apps and data outside the office, and allow people to choose their own device
- Data and IP protection – protecting company data from theft and loss, and IP from infringement and misappropriation
- Compliance and Governance – addressing compliance standards with systematic logging, reporting and auditing processes
- Business Continuity – ensuring continuity of operations and system availability during business disruptions
As I mentioned in my previous blog post, complexity is the enemy of security. What does complexity look like? It’s, as Dr. Ramzan found, having “84 different security vendors” – many of them that do not integrate. He states that another way to get into the “Gap of Grief” is “when these areas aren’t integrated, multiple disconnected point solutions create chaos through alert fatigue. And organizations lack the business context to meaningfully navigate the chaos.”
An example I hear at almost every Citrix executive briefing is the challenge of app delivery – security inclusion vs. exclusion – “enabling the good guys to get in” while “keeping the bad guys out.” Thinking in a tactical way about app delivery leads us to an architecture with multiple point solutions that is complex and difficult to manage. It’s not uncommon to hear that our customers wish to consolidate different vendors that are delivering web apps, enterprise apps and desktops, mobile apps, and file sync and sharing. And tying that all together for a great user experience (and better security hygiene) is the need for SSO and federation. With the quickly expanding field of IoT, yet another solution is required.
The traditional approach
Many of our customers have already taken the first step in the journey, moving high value apps and data off of low value assets. By centralizing apps and data in the data center or better managing them on mobile devices, they not only achieve better IT efficiency, but also reduce the complexity of app delivery. Along the way, they’ve consolidated load balancers, web app firewalls, VPNs and SSO functionality both to reduce network sprawl, but also reduce administration overhead the cost of maintaing support for multiple platforms. Some have explicity stated their goals of reducing the attack surface and getting control of far too many access points.
The Citrix approach
Dr. Ramzan concluded with a call to action, to seize the opportunity to lead our organizations through chaos and that includes having an incident response plan with the ABCDs: Availability, Budget, Collaboration, and Dress Rehearsals. “The first time you try out your plan shouldn’t be during an actual incident” invoking cybersecurity expert and boxer Mike Tyson, who said: “Everybody has a plan until they get punched in the mouth.”
