Security – It’s about planning for failure


As the world continues to become increasingly connected, organisations are faced with large quantities of data they need to protect and make sense of. International Data Corporation (IDC) predicts that 66 percent of CEOs will have digital transformation at the centre of their corporate strategy and 65 percent of large enterprises will become information-based companies, significantly increasing the value of their data assets by 2020. Organisations must, therefore, stop talking about security and rather focus on the risk to high-value data assets. This is the view of Jon Tullett, research manager at IDC Sub-Saharan Africa.

“It is about time the industry focused more on risk rather than the traditional security measures of the past. The fact is, you are always under threat and, therefore, your security strategy needs to be designed in such a way that you are proactively assuming that it will fail. If you plan for failure, you will have the necessary contingency plans in the event of a breach to ensure you can protect sensitive data,” says Tullett.

He adds that transforming your organisation’s security practise in isolation will result in failure. “The majority of digital transformation projects done in silos will ultimately fail and security transformation is no different. The threats your organisation faces will always move faster than you, which means you will always be reactive and, by definition, your security practice will always be behind. It’s a question of how far behind.”

Tullett believes that throwing money at the issue will not make the problem go away. “Security is a long term investment and every individual thing you do is not necessarily measurable on its own. Organisations have to take a long-term view and realise that this is an ongoing investment.”

It’s about risk rather than security

“Quite often security investment is done backwards. Organisations buy solutions under the assumption that they need it and that it is going to work. They should, however, start with risk profiling. Classify your assets so that you know what you’re protecting and then you can put the appropriate measures in place,” says Tullett. “If you start by just throwing money at the mechanisms, then you’re back at that siloed approach and you are going to fail, as we have done for decades.”

Ensuring that your entire organisation is more aware of the risks is also crucial. “The user isn’t thinking about the risk they are creating for the organisation and that’s not their fault. The majority of users also don’t care about the business losing data, but it is a different story when it impacts them personally. By turning the security operation into a champion that is educating them on how to preserve their personal data, they will become more security aware individuals and will be less likely to expose the organisation to risk.”

It’s time for a more agile approach to security

“We are seeing a movement towards deconstructing security,” says Tullett. “Where in the past organisations invested in huge monolithic security stacks, they are now moving towards more agile strategies, with smaller components. In the event of a breach, this allows them to realign their resources fairly quickly and recompose them into new solutions, on demand.” He adds that this implies growth in managed security services, as many organisations do not have the capacity or skills to do this themselves.

Tullett believes that going forward it will be about creating better layers of security. “Protect as much as you can, but also ensure that you can detect, mitigate and isolate breaches in real time, and do it in a way that is aligned with the value of the asset you are trying to protect,” he says. “Unfortunately, most organisations have not classified their data effectively and therefore they don’t have sight of where that data resides, who has access to it and where it is moving to. More importantly, they don’t understand the future value of their data asset.”

IDC predicts that by 2020, 25 percent of manufacturers will make 50 percent of their revenue from information assets. “The data centre is currently being looked at from an operational level, but we predict that this asset will increase significantly in value. In fact, it will eventually become more valuable than your actual factory so you’re no longer protecting an operational asset, but rather half of your business. Can you afford to put that at risk?”