Managing Security Risk in a Complex Environment
Managing security in today’s environment is about managing risk. Cyber attacks against organizations are increasing, to the point where organizations should assume that their networks have been or will likely be compromised at some point.
The emergence and adoption of new technologies like mobility, cloud computing and social business can increase organizations’ capabilities, but may also increase their security risk. These trends increase the number of digital identities that organizations need to monitor and manage, and security awareness, education and training can be critical to organizations trying to achieve an effective cyber security posture.
Furthermore, passwords – the standard for securing access to many corporate systems – may not be providing organizations with the protection they require. According to Mandylion Research Labs, powerful computers, password cracking tools and other techniques may crack very strong passwords in the time it takes to spellcheck an email, as cited in a recent CIO Journal article.
How can organizations position themselves in this environment? Rick Siebenaler, a principal in the Security & Privacy practice of Deloitte & Touche LLP’s Enterprise Risk Services business, says “Until a meaningful alternative is designed, developed and gains widespread adoption, passwords are here to stay,” but recommends that companies consider implementing supplemental security technologies, such as adaptive authentication and one-time passwords, to enhance security.
On an enterprise security level, Harry D. Raduege, Jr., Chairman of the Deloitte Center for Cyber Innovation, recommends that organizations consider the following:
- Trust – but dynamically monitor: Try to focus on forensics (analyzing an attack after it happens) and predictive analytics (using insights to take action in reducing future risk)
- Share vulnerability: Manage security risk by trying to broaden the scope of the security and identity management mission across the organization and moving it from back rooms into board rooms
- Address expectations: As organizations integrate new mobile technologies and IT systems expand into the cloud, cyber security should adapt to address the expectations of users