The debate continues on who actually said the phrase: “Culture eats strategy for breakfast.” Was it Peter Drucker or was it former-CEO of Ford Motor Company, Mark Fields? Never the less, it is a phrase that can be attributed in today’s world of security. The best of intentions and planning can never equal the commitment and aptitude to execute. It is the security culture of today’s modern businesses that has the greatest impact to their success over all the strategic planning.
This “security culture” is often the greatest driver in helping organizations shift from the mindset of leveraging only the foundational building blocks of security to a layered defense model of overlapping controls that covers the complete tech stack. Culture once again drives the strategy, but strategy does not drive the culture.
Today’s culture must now take into consideration the dramatic differences in the threat landscape and the different risks introduced by the cloud. Mobile apps, the Internet of Things (IoT), edge computing, APIs, and a host of other cloud-enabled innovations have toppled the stack and pushed cyber risk beyond the realms of the traditional castle-defense models of the past. For example, 93 percent of organizations surveyed for the Oracle and KPMG Cloud Threat Report 2019 said they are dealing with employees using rouge mobile apps that aren’t part of the company’s stack.
Risk is compounding for threats like these as organizations put more of their critical systems like enterprise resource planning (ERP) into the cloud. The Cloud Threat Report survey found that a notable 69 percent of respondents said more of the cloud services they use are business critical compared to 12 months ago.
We still use stack to describe systems that medium and midsize organizations plan and control, but what this really means from a security perspective is an organization’s core data, no matter where it physically resides. Knowing what security and risk mean at every level of that stack within the cloud world is important in keeping valuable operational and customer data as safe as possible.
First and foremost, company and IT leadership need to be aligned about security, and this could require a shift in thinking. Security should be as much about culture as the strategy of technology choices. A “castle mentality” must now be redefined as being more about securing the “kingdom” since not all the critical assets reside within the castle’s walls. Organizational planning must continue to grow and expand as the footprint of data assets changes and increases into the cloud.
Training, education, automated reminders, and helpers—all of these address another huge security risk, which are employees.
Lots of risks enter business systems through seemingly legitimate emails (phishing), for instance. Malware and compromise of sensitive data are two of the leading impacts from a phishing campaign or business email compromises. Often attackers start with the compromise of user credentials before exploiting key systems.
To avoid these mistakes—as well as malicious employee acts, such as using someone else’s credentials to access unauthorized systems—all employees need to be trained to recognize suspicious activity for what it is and act accordingly. This should be a process of re-education on a regular basis. We see regular training initiatives tied to how our employees interact with sensitive information, or one another, but we often don’t focus on the more critical components of risk and threat prevention education.
From a tactical point of view, securing the stack isn’t any one person’s job anymore. Even if you have a CIO or even a chief information security officer (CISO), responsibility extends beyond these roles. Cyber security must be embedded in all aspects of the cloud, including development, integration, deployment, monitoring, compliance, and maintenance.
Fortunately, innovation has led to better tools for embedding and maintaining security in all of these roles, and automation is a big part. For example, Oracle’s Autonomous Database, a self-repairing, self-securing database can protect against external attacks and malicious internal users. Database and infrastructure management, monitoring, and tuning are automated, which reduces the human touch, and therefore risk.
Another important aspect of modern security is working with cloud vendors. It’s vital to understand who is responsible for what because this can vary. We call this a “shared responsibility security model.”
Your security responsibilities will depend upon how you have configured your stack, but you will have responsibilities in each layer.
It’s absolutely vital to have a clear understanding of this division so that no part of the stack is left unprotected. To do so, ask vendors as many questions as you need. In the Cloud Threat Report research, participants shared that confusion about shared responsibility for security had led to the introduction of malware (34 percent) and exposure to increased audit risk (32 percent).
If you’re finishing this blog and thinking, I’ve got a lot of things to check on, you aren’t alone. Cloud-enabled technologies are commonplace, and this has redefined what it takes to protect a company’s crown jewels—it’s data. Fortunately, those same technologies are making it easier to secure data and systems through automation.
Start with leading a new culture inside your organization focused on protecting corporate assets, intellectual property, the brand, and reputation of the business, as well as the privacy and protection of customer and corporate information. From this, can evolve a successful strategy that covers the needs of the “kingdom.”