Information workers in India are increasingly using their personal devices, applications, and web services to accomplish both personal and work-related activities. Results from Forrester’s Forrsights Workforce Employee Survey, Q4 2012 indicate that at least 85% of employees use phone/tablet applications and web-based services for both purposes which is putting corporate information security under serious threat.
My interactions with numerous infrastructure and operations (I&O) professionals from large enterprises in India over the past six months have revealed that there is a high degree of awareness of the need to develop a bring-your-own-technology (BYOT) policy. However, actual implementations aren’t yet common, as I&O professionals are unable to address management’s three key concerns. These are, in order of priority:
How can we ensure that information on employee-owned hardware and software is secure?
In the past few days, almost every conversation I have had with a CISO has somehow stumbled onto the topic of the data breach at the US Department of Defense (DoD) and subsequent release of that information through WikiLeaks. Many CISOs have told us that their executives are asking for reassurances that this type of large-scale data disclosure is not possible in their organization. Some executives have even asked the security team to provide presentations to management educating them on their existing security controls against similar attacks. Responding to these questions is tricky: “It’s like treading on a thin ice,” commented one CISO. If you tell them everything is under control you may create a false sense of security. If you tell them that it is very likely that such an incident can happen within their organization – it may be a career limiting move.
I would recommend giving the executives a dose of reality. I do many security assessments for our clients and often find that many organizations are solely relying too much on technology and infrastructure protections they have. Today’s reality is very different. We often operate in a global context with large and complex IT environments making it hard to monitor and track data and we are sharing a tremendous amount of sensitive information with business partners and third parties. All of these realities were faced by the US government as well and probably all contributed to the circumstances that led to the disclosure of data.
As many of you try to extract the lessons learned from this episode, here is my take on it – It is a failure of not a single security control but a set of multiple preventative and detective lapses.
Failure of preventative controls: Governance, Oversight and Access Control