Defense in depth is failing. As cybercrime mounts and attackers exploit the spectrum of technical and managerial weaknesses, companies must adopt a full-spectrum defense.
We are facing a not-so-perfect storm of rapidly changing business requirements, cybercrime and compliance. The prevailing winds of outsourcing, partnering and mobility are driving companies to overextend. Technology is locked in a feedback loop with business, and it is no accident that technology trends such as service-oriented architecture and de-perimeterization mirror business trends toward loosely coupled outsourcing and process networks.
Cybercrime dogs individuals and organizations alike. Malware is everywhere, with criminal or commercial intent. Worms and viruses marshal botnets, plant crimeware and assist phishing. But because insiders are always the greater threat, it also is worrisome that business trends are bringing more insiders into our networks.
There is talk of inflation in the financial markets. But in IT we face consequence inflation. Risks are rising with growing compliance backlash to data spills, identity theft and corporate fraud.
Protection is becoming a management problem of considerable proportions. Each new attack vector or compliance demand spawns new products, whether or not they are required. Competing technical safeguards are tripping over each other in a race to catch up with layers of changing infrastructure and applications. The result is greater complexity.
The answer to these challenges is a full-spectrum defense. Simply put, this means defense in depth plus defense in breadth. Significant technical improvements can be made to layered defenses (depth) by increasing assurances for the user, identity and system, as well as network protections. Companies also should build a technical control system that integrates and interoperates across multiple platforms, applications and security technologies. This requires improvements in system-management components such as change control, workflow and automated software distribution, as well as features we normally think of as falling under security management.
Gaining breadth of control is the greater challenge. The technical control system and security processes also must cover outside business partners that have become part of the extended enterprise ecosystem. Trust networks, audit standards and well-constructed contracts all play a role. Organizations also can leverage ISPs and network intelligence services to enhance business continuity, filter content or correlate and thwart threats from the Internet at large.
IT security staff cannot do it alone. Security programs must engage top management and business units that comprise the core enterprise and run the extended enterprise. Security must become part of normal business process, accountability and incentives. This requires security officers to communicate effectively with the business to create the risk-management processes that encourage making the right trade-offs and metrics that help the program manage itself and adapt. This is never easy, but it is the only route to a full-spectrum defense.