Lookout chief strategy officer, Aaron Cockerill, presenting at the 2016 Gartner Security Summit
People-centric security models: The good and the bad
- Aaron Cockerill, Chief Strategy Officer, Lookout
There was a lot of emphasis on the end user at this year’s Gartner Security Summit last week. The reigning themes were this idea of “Citizen IT” and employee education.
“Citizen IT,” as discussed by Gartner’s John Girard in one of his presentations at The Summit, is an interesting twist on what is otherwise known as “shadow IT,” or the software that employees choose to use without IT oversight. In Citizen IT, individual employees have the freedom to use productivity tools and apps of their choosing, but within preset guidelines created and distributed by the IT security department.
Today, when it comes to mobile, users typically use productivity tools and apps of their choosing, irrespective of the guidelines created and distributed by the IT security department. The idea of Citizen IT a good one, but only if used in tandem with a technology that can help monitor and enforce these guidelines.
Examples of these guidelines could be that apps or services shouldn’t collect certain data deemed sensitive by the organization and share that data with other apps or services deemed inappropriate. Another might be that an endpoint security application must be present on the device before it is able to access such sensitive data.
With Citizen IT, employees get the opportunity to learn about security policies and understand more about them. IT departments, in return, create advocates for company security.
The only caution is, employee education is never going to be fully enough. Humans are typically the biggest part of the problem. We fall for phishing attacks; connect to potentially harmful networks out of convenience, install all sorts of new apps. IT security teams (and employees) need a solution that can alert them to harmful situations. Identifying harmful apps (malware) or insecure network connections is a relatively well understood space when applied to mobile devices. The bigger challenge in making Citizen IT work for the mobile space is providing IT admins the ability to identify apps that are not necessarily malicious, but that would contravene corporate security policy or introduce regulatory compliance issues. And with over four million apps on the App Store and Play alone, this is a big problem indeed.
Gartner has it right: we should bring employees into the security responsibility hierarchy. Whether an enterprise embraces personal device usage at work, people will be using their work devices for personal activities anyway. Moreover, given today’s app economy, they will use the tools they prefer outside of work to help them get their jobs done. They should be educated as to the risks to their data and be a part of securing against those risks.
Neither security technology nor educating employees alone will be the silver bullet that fixes your security problem. Working in tandem, these two strategies will give you a supreme leg up in protecting your data and your employees.
Why we don’t care about prevention anymore
- Santosh Krishnan - Chief Product Officer, Lookout
In a presentation titled, “The State of Security Markets,” Gartner’s Sid Deshpande and Ruggero Contu explained in a great Lord of the Rings reference the “things that were, things that are, things that have yet to come,” of security. The “things that were” included preventive security, and checkbox-security mindsets.
Let me define these terms.
Preventive security is the idea that we can stop people from attacking us. If we can prevent the attack, then we won’t have to worry about our data being stolen.
Checkbox security is the idea that a CIO or CSO can just deploy a security technology and call it a day. Success, in this scenario, is measured by how much technology is implemented in an organization, not by substantial risk reduction.
We live in a new security world order where numerous breaches of many different sizes make headlines every week. To focus solely on preventing attacks is to potentially overlook attacks already happening against your company.
This is why the security industry as a whole is elevating this word “visibility.” It’s no longer about preventing attacks from happening; it’s all about seeing them when they do. The sentiment here is painfully simple: if you see what is happening, you can do something about it.
It is for this reason that checkbox security is dying, too. Okay, so now you see the threat at hand, what do you do about it? Simply deploying technology was easy when the end goal was “prevent attacks.” If you accept that you’re going to be attacked and need to see those attacks happening, you’ll need to measure your security vendors by more than just their existence in your stack.
You need to look at how they impact your risk. Detecting and responding to attacks is one of Gartner’s Six Key Principles of Security, as revealed during The Summit. Your security solution should help you do both, and quickly. You should evaluate a solution’s dwell time, or how long it takes for a threat to be detected and reported. Questions to ask:
- How does the solution detect threats?
- Can the solution detect unknown threats?
- What does the interaction with my IT admin look like?
Prevention and checkbox security are lazy security. The future is deep visibility, immediate detection, and fast remediation.
Preventing attacks isn’t the metric by which you measure a successful security program. Your ability to respond is.