I am kicking off a series on Enterprise Security (#EntSec on Twitter) with a very simple question... "In 2012 Enterprise Security will struggle with ... A, B, C..."
What I'm looking for all of you to do is think about what those 3 things are. What are you currently struggling with as the year starts off? At the conclusion of every previous year we hear the same phrase being uttered "... next year will be the year of the [?]"...
And it's always something that seems rational and logical in the crystal ball but loses its shine as reality of going back to work sets in. I'm looking for some very real, strategic and tactical issues you think enterprises will be struggling with.
Often in the world of vendors we are accused of not understanding customer (your) challenges and struggles - so now is your chance to speak up.
Let me tell you how I see it, because I've been in some of the biggest and smallest companies out there over the last decade, and while the landscape of threats changes, the challenges organizations in the enterprise scale face, don't move as fast.
Resources - whether you're just starting to work in the enterprise now, or have been in the enterprise security landscape for 2 decades, resources will always be your biggest challenge. Some of us are lucky enough to find organizations which require true security so they'll throw piles of money at the problem ... but that doesn't necessarily buy security (but that's a different discussion).
In most enterprise class organizations resources are scarce. You're probably looking at a 1,000:1 ratio of security professionals to staff (or much worse the larger your organization grows). The challenges to resources don't end with money availability - it's often the ability to attract and retain talent.
Keep in mind many talented security professionals simply don't want to work in a large, formal, structured environment... it's one of those things, I guess. The "security personality" often clashes with corporate culture and creates serious human resource shortages.
Complexity - If you've solved the complexity issue in an enterprise I want to write a book about you. I think it's impossible, given the pace of business is always a few steps ahead of security's ability to control that pace. You see, most businesses are about being agile - even at the "enterprise" scale.
Unfortunately, agility tends to run counter to control which security strives for so that creates friction and more challenges. Complexity in the enterprise mainly comes from the rapid rates of expansion, contraction, acquisition and expulsion of sub-entities ... the pace can be maddening, not to mention a veritable hazard for security.
Awareness - The business world just doesn't seem to truly care about security. It's maddening to anyone who's done it long enough but becomes an accepted fact of life over time. Enterprises care about risk, compliance, and proprietary information. Anything that helps them maintain a competitive edge over the competition, and widen the profit margin is critical.
Security, though, tends to fall into the "that's someone else's problem" and even though more enterprises are now including security awareness as part of their on-boarding process, the general population is widely apathetic. We've said it just takes a compelling incident "big enough" to get people to think about security ...but we've seen some gargantuan incidents and what?... mere blips on the radar.
Will awareness ever truly rise to necessary levels? Magic 8-ball says "Answer uncertain, try again later".
Technology - The only thing that moves as fast as technology (or sometimes faster) is the general population's need to adopt it. This doesn't change when you enter the enterprise. Think about how fast the gap is closing between when cool technology is first announced to when your developers are using it to code the latest features into the enterprise portal. What used to take months now takes mere days.
Sometimes your developers are using technologies that not only your tools, but you haven't even heard of yet. Then what? Bryan Stiekes whom was a guest on my podcast a while back mentioned it takes a full 10 years to understand the implications of technology we implement today... that's mind-blowing, and bad at the same time.
What happens between the time that new tech (often experimental) gets adopted by developers, marketing wizards, and corporate staff and the time that security has had ample time to understand and devise strategies to protect that technology? I'll tell you - exploits.
Threat - Let's face it, while the vectors and personality of threats change and evolve as the years go by - the very nature of threat simply does not. Threats are ever-present. Threats come from every angle, every day, and everyone can be a threat actor. While the last few years has seen a rise in the 'chaotic cyber terrorist' (let's call them what they are) the very existence of threat has not changed.
A century ago threat was present as it is today, it's just that it didn't sneak by your firewall at 2:00 am on a quiet Tuesday to steal your entire corporate database ... it would have been more physical. But as the Internet has become pervasive, and everything moves to digital - threat does as well.
You have to keep close tabs on your employees, your friends, your enemies and those you would never suspect... because threats are ever-present and overwhelming. Keep a level-head, because the evolution of threat doesn't mean it's any more scary today than yesterday.
Cross-posted from Following the White Rabbit