On the heels of my last post regarding the role of the modern CIO, I thought it would make sense to delve a little into the relationship between CIOs and network security. Many CIOs have expressed indifference to the network security discipline (in fact, to the security discipline in general), at least until there's some sort of problem. But why?
Given the innovation expected from modern CIOs, shouldn't CIOs be interested in enabling an organization to adopt new technology without adopting too much risk? Doesn't that help CIOs achieve their goal of bringing innovation to business? I think there are some real, and some perceived problems.
From the CIOs perspective, there are three problems with network security today:
- Security is an impediment. In many organizations, there is a certain inflexibility around security: everything is black and white, everything new is dangerous and bad, and when in doubt, block it.
- Security is a requirement. Compliance, the need to maintain the organization's image (i.e., keep the company out of data breach articles in the press), and the increasing awareness that cybercriminals are out to do enterprises harm all point to the need for good (better?) security.
- Security is a pain. Given the rate of innovation in technologies enterprises adopt, how they adopt them, the risks that accompany them, and the failure of basic network security infrastructure to adapt, security has become expensive, complex, and slow.
All of this adds up to something that is necessary, painful, and slows down the key initiative of the "Chief Innovation Officer". There are solutions to these problems, but they require some changes in the way organizations think about security (policies) and the way security is enforced (controls). Regarding policies, organizations need to shift to:
- Policies that enable. Applications aren't threats, and in fact, in many cases, they are how folks get their jobs done in better, faster, and cheaper ways. Enable that! But limit unnecessary risk.
- Policies that can be enforced. Nothing breeds contempt (or legal action) like unenforced policies. Policies have to be enforceable. Which often means new, or upgraded controls to contend with the innovation we've all seen in applications and the increasing sophistication of threats. Policies also have to be fine-grained enough to enable innovation, yet limit function, users, or content in a way that reduces the unnecessary risk carried by that innovation.
- Policies that live in the firewall. IT executives are tired of the "see a new technology, add another security appliance" stance that the network security industry has taken. Given that the firewall is the only device that can enable (everything else has a negative security model) and is often the only device that sees all traffic, the firewall is the right place to meet the two requirements immediately above; therefore these policies must be enforced in the firewall. It goes without saying that traditional port-based stateful inspection firewalls can't do this, nor can devices that are based on stateful inspection (UTM). Next-generation firewalls use application-based traffic classification – which opens the door to safe enablement.
So if an organization does address the issues with network security in the above ways, CIOs should expect to be able to: enable strategic initiatives (i.e., security is no longer an impediment), reduce the risk without reducing the benefit of those initiatives (i.e., meet the requirement for security), and simplify both security infrastructure and operations (i.e., reduce the pain of implementing and operating network security). I think this is where network security could start to get interesting for CIOs.