I’m a big car nut so I wondered if there are any parallels between the evolution of cars and IT security. Seven years after the first automobile was produced by Karl Benz in 1886, electronic security started when the wireless telegraph, the first network was hacked.
While both technologies were have born in similar eras, their paths quickly diverged. Automobiles evolved at a fast pace over the years because consumers and government demanded improvements. Performance increased, costs decreased, and safety got a lot better.
In contrast, security’s progression was largely motivated by the risk – prevention from attacks, detection of current attacks, and remediation of past attacks. Security was always weighed against perceived cost of the risk. In other words, you don’t want to spend more on security than the attacks cost you. Comfort was completely alien to security until recently.
Today, security has changed. Rather than simply thinking about detection of attacks, organizations are now beginning to focus on how users will interact with security measures. This is what I am calling Positive Security. . Positive Security in the ability to build security into products so that it benefits the user so that they are protected from intrusion.
How did negative security models work?
How is Positive Security different than the old security models? The traditional model of security focused on the risk and the cost of security strategies and not on how this would affect users. In fact, it was a commonly-held belief that the worse the user experience, the better the security. This led to users hating and circumventing security protocols..
The current model of security is slowly beginning to understand the need to improve the user experience. However, security models are still designed to focus on mitigated risk and satisfied regulatory compliance. This change is being driven by business leaders who are demanding that security shouldn’t hinder business goals. They expect that a secure user experience should become easier and faster than with the old security model. That change meant that incident responses became more proactive. However, process is slow. Even progressive companies aren’t quickly incorporating those lessons learned from past incidents into future security strategies.
As employees expand their use of cloud applications consumed with their own devices, the focus on the user experience is expanding. There is a disconnect between the old security models and new models required for the new cloud-dominated era. As technologies change, a new model must evolve to support continuous change.
How do you prioritize secure business innovation?
The most important implication of Positive Security it that it puts the user experience front and center. This means that secure business innovation must be dynamically balance both risk and cost. Positive Security impacts organizations at all levels, including:
- For senior business unit leaders, security must contribute to revenues, profits, customer satisfaction, employee productivity, compliance, and business innovation.
- For IT leadership, security needs to be able to predict the seriousness and urgency of potential threats, prioritize mitigation strategies, analyze the negative impact of fixes and patches on productions, and suggest courses of action.
- To support end users and customers, security solutions need to monitor users’ behaviors, transactions, and interactions in near real-time to avoid accidental, mischievous, or malicious activities. Actions can be manually or automatically invoked so that security managers can disable access, step up authentication, or invoke detailed tracking for further analysis. In some cases, “normal behavior” over a long period of time might even cause systems to step down authentication and other security measures to improve the user experience.
What #PositiveSecurity solutions already exist?
As listed below, many current security technologies fall into the positive category. Therefore, evolving towards #PositiveSecurity does not require the rip & replace upgrades of older solutions. Threat Intelligence and Analytics, however, are a new and key distinction, as explained in the next section
- Endpoint (IoT, Mobile, and systems)
- APT (Advanced Persistent Threat) Defense
- Security SaaS (Software as a Service)
- MSSP (Managed Security Service Providers)
- MFA (Multi-Factor Authentication) with biometrics
- PAM (Privileged Access Management)
- Threat Intelligence and Analytics
- UBA (User Behavior Analysis)
- NGFW (Next Generation Firewall)
- Message Scanning
- DLP (Data Loss Prevention)
- Encryption and Tokenization
- VM (Vulnerability Management
- White Listing
- Single SignOn (SSO)
- DDOS (Distributed Denial of Services) and DNS (Domain Name Services) Defense
- SIEM (Security Incident/Event Management)
- Cloud Security
- Web Security
- Applications Security
What really separates #PositiveSecurity solutions from negative ones?
The predictive capabilities of threat intelligence and analytics enhance current security technologies’ ability to see early Indicators of Attack (IoA) around the world and take preemptive and prescriptive measures to reduce an enterprise’s vulnerability. Using machine learning and artificial intelligence, #PositiveSecurity systems alert on Indicators of Compromise (IoC) based on anomalous deviations from normal patterns. Moving from reactive to proactive to predictive is one crucial driver towards #PositiveSecurity. The other driver requiring not just IT, but all the stake holders to embrace #PositiveSecurity’s core collaboration between UX, risk, and cost.
What would happen if cybersecurity was a positive, instead of a negative?
In an ideal world where security actually improves business operations, consumers would shop for the best deals without worrying about web site reputation, credit card theft, stolen passwords, and identity theft. Employees could access company applications and data from anywhere in the world, on any device, across any network quickly and securely. Businesses could efficiently and cost-effectively and selectively make services, applications, and data freely available to employees, customers, prospects, suppliers, resellers, contractors, and regulators without performance penalties, costly integration, or disruption of production processes. Consumers and businesses could continuously optimize IoT processes, systems, and analysis without fear of hijacked devices, theft of analytics, or management disruption.
Granted, this is an optimistic view, but a positive outlook certainly produces better outcomes than negative ones. Moreover, the precursors of positive security solutions already exist. There are innovative businesses that have adopted this view and are benefiting from it. We hope to bring you these stories in the future so your company can benefit from #PositiveSecurity.