Overcoming barriers to becoming a security-first organization
- Published: Tuesday, 09 April 2019 12:00
Taking a security-first approach involves prioritizing security in all areas of the business, including its people, processes and applications; and requires moving away from a simple ‘protecting the perimeter’ approach. Justin Calmus highlights four key areas that organizations need to consider when moving in this direction.
Enterprises are increasingly recognising the benefits of embracing a cloud infrastructure to support on-premise networks, but often create complicated network environments in the process. Recent OneLogin research revealed that 94 percent of global CIOs are in agreement saying the corporate technology stack is becoming increasingly complex – with more apps (both cloud and on-prem), data, devices and transactions than previously known. Running systems via the cloud offers efficiency and productivity to better support large distributed workforces, no matter where an employee is based. As a company evolves it can often outgrow its on-premise network. Consequently, IT strategies must be created to futureproof networks, as well as protect customer and employee data.
The influx of new applications onto enterprise networks shows no sign of abating, threatening networking security posture. OneLogin research found that two-thirds of UK enterprises expected to deploy up to 100 new commercial SaaS and on-premise apps in the last year. This high frequency of large-scale app deployment to enterprise networks means it is critical that enterprises develop a security-first strategy to encourage healthy hybrid-network environments. Such strategies are imperative to calm chaotic networks overwhelmed by the constant on-boarding of applications. Just like spinning plates, it is only a matter of time until a chaotic and fragmented hybrid network wobbles and the entire enterprise network collapses.
To ensure organization’s networks remain agile and secure, IT decision-makers and professionals should consider the following points to encourage a companywide security-first culture:
A single source of truth
Multiple directories mean multiple vulnerabilities. Whether directories are in the cloud, on-premise, or both, they need to be managed from one unified system that’s adaptable and scalable.
Manage access for employees and end-users
81 percent of hacking-related breaches involve stolen or weak credentials. Single sign-on (SSO) and multi-factor authentication (MFA) work together to strengthen credentials and protect data from unauthorised access - across all users’ devices and apps.
Onboard and offboard efficiently and securely
As organizations continue to grow, HR and IT departments are tasked with getting new employees onboarded quickly, and offboarding ex-employees just as fast, if not faster, to stay secure. With large enterprises, new staff need to be added every week and, likewise, staff also leave every week - placing a strain on HR and IT teams. To simplify processes, run them most efficiently and put security-first, enterprises should invest in automated processes and tools. An instant ‘kill switch’ for deprovisioning and real-time directory synchronization can dramatically reduce time spent on IT administrative tasks and greatly reduce the risk of ex-employees leaving with sensitive information that could be sold to competitors.
Security versus usability – getting the balance right
To encourage employees to follow security protocols and buy into a security-first culture, additional security processes must make the tools they use to do their jobs easier to use. Otherwise, employees will be reluctant to adopt them and will find a way to circumnavigate security protocols, essentially leaving the business they work for open to malicious cyber criminals.
It can be all too easy for employees to sign-up to and download new applications on corporate and even personal devices they use when working. Some employees even pay for these applications out of their own pocket to circumvent going through tedious HR and IT protocols.
Enterprises must find a balance between usability and security to become a security-first organization, or face becoming security-last and at the mercy of cyber criminals. Not only will an organization’s inability to prioritize security cost the company its sensitive data, but it will also incur regulatory fines for not complying with data privacy laws, such as the European General Data Protection Regulation (GDPR) or the US’ Data Privacy Shield.
A security-first strategy and posture must be reflected in an organization’s vendor selection processes and positively influence the end-user experience every step of the way. If organizations fail to acknowledge the importance of a security-first culture throughout decision-making processes, they will risk circumvention and hefty regulatory fines, damaging their reputations.
Justin Calmus is Chief Security Officer at OneLogin.