With last week’s sudden resignation of Target chairman and chief executive officer, Gregg Steinhafel, the stakes for network security just got a little higher. Of course the fact that hackers had stolen 40 million debit and credit card numbers from the retailer’s data banks as well as the personal data of as many as 70 million Target customers might be cause enough for network security to get a little more respect, but costing C-level executives their jobs – the CIO is also history – shouldn’t hurt.
Not that securing networks is easy, argues Chris Roeckl, VP of Marketing, VSS Monitoring, a developer of network packet brokers (NPBs) for optimizing and scaling networks and performance and security tools. He said the architecture of enterprise networks makes it difficult, or impossible, for security tools to have comprehensive, network-wide visibility.
Another consequence of that architecture is that removing, adding or upgrading security tools can create unforeseeable network latency or even halt network operations altogether. At the root of the problem, stated VSS, is the fact that network-monitoring tools and security tools are deployed on the same layer of most enterprise networks.
But first, let’s get back to Target and what else is going on in the network security industry. Gartner analyst Patrick Meehan said the Target breach could be a watershed moment in a retail industry that has traditionally been a laggard in IT, and in which CEOs and CIOs are often disconnected. However, very few CEOs of major companies are intimately familiar with their own security operations — and they should be, according to Craig Carpenter, chief cybersecurity strategist of AccessData Group Inc.
He said that cyberthreats are so pervasive and potentially damaging to brands that C-level executives and board members “cannot afford to not know what’s going on.” Cybersecurity needs to be considered by the entire C-suite and board just like key hires, compensation of executives and broader corporate governance, he added. “In this regard, a high-profile firing could be very helpful as each of Mr. Steinhafel’s peers wakes up the reality that they, too are at risk of losing their jobs.”
According to a recent study by the Ponemon Institute, sponsored by FireMon, there is massive overconfidence in enterprise security strength,highlighted by ineffective communications, and the inability to measure and accommodate change. In nearly 60% of the respondents, responsibility for managing the impact of business or technology change on security posture resides with C-level executives (CSO, CISO, CIO, CTO, etc.), and in 66%, executive and Board perception of security is “high.” However, the information on which that perception is based is disturbingly incomplete, with 60% of IT security staff informing executives of specific risks only when the risk is deemed “serious,” or not at all – and in more than half of the cases, actively omitting negative facts.
But wait, the news keeps getting better… er, worse: Verizon’s 2014 Data Breach Investigations Report has just been released. “After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, principal author of the Data Breach Investigations Report series.
“Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months, while penetrating an organization can take minutes or hours,” Baker said.
With security prevention and resolution getting harder, and the costs to C-level execs getting higher, even data center security vendors will begin to feel the pain, according to a new report. “The most significant transformation affecting enterprise data centers today is the adoption of server virtualization technology,” notes Jeff Wilson, principal analyst for security at Infonetics Research.
“That said, buyers are performance hungry, and vendors must have the interfaces, connections, and throughput they require TODAY,” Wilson continues. “Buyers will switch vendors this year to get high-performance security infrastructure for the data center.”
Analyst Zeus Kerravala, ZK Research, was surprised by the results of a new study that found network security topped the list of the top three networking initiatives over the next 12 months, ahead of wireless and datacenter upgrades. “With all the momentum around data center initiatives and BYOD I was a bit surprised to see security rank #1. In fact, in the 2013 survey, network security was #4 behind WiFi, data center, and network management tools. This year security jumped from 11% in 2013 to 31% for 2014.”
He said there are a number of reasons for this change, including: security getting pushed to the side by the challenges of consumer devices and the cloud; and security is now a top concern for business leaders. The final piece of the puzzle which may explain the big kick in security focus was the question, “Which of the following technologies or projects have required more time and networking resources than last year?” The top three responses this year are the same as the top three the previous year: “server virtualization”, “network security” and “wireless networking”. However, of these “big three” responses, server virtualization and wireless networking fell slightly, where network security jumped up several percentage points.
Kerravala said it appears that “after a couple of years of being only hot, network security is moving back into the realm of being red hot.” Given the fact that security is now a top business driver and it’s taking more time from the network manager, he expect the heat to last at least a couple of years.
So now that we’ve determined that network security is at least getting a higher profile, if not priority, why will it be that difficult to make networks more secure? One problem, according to Roeckl, is the age-old silo issue: the network and security teams have different objectives.
Network professionals are driving hard as they can to meet network requirements, and they don’t want solutions that make their networks more complex. The security pros want to make sure the data is secure and that breaches and anomalies are addressed as quickly as possible.
“Our solution is that you put us in between the active network and the security solution tool.” This allows the security team to insert security solutions on a different plane, and make decisions on how network traffic is exposed to security solutions. Security and network professional now have a much higher degree of confidence.”
In addition to dealing with faster networks, there’s also the growing challenge of virtualization and software-defined everything. “Networks are being virtualized and security has to go with them,” said Roeckl.