Why Information Security Must be as Adaptable as the Environment it Protects

“It is not the strongest of the species that survives… It is the one that is the most adaptable to change” (Charles Darwin)

The digital transformation wave that has been sweeping across all industries is sort of a modern manifestation of Charles Darwin’s theory. Organizations, like an organism, must adapt to survive. Today, adaptability is intertwined with the ability to embrace and leverage technology innovation. Unfortunately, information security is often an inhibitor to adaptability.

During my time at the market research company, IDC, where I spent 15 years heading the Emerging Technologies research practice, I was often asked about “the next big thing in…” If you ever want to annoy an analyst, this is probably the best way. As the old saying goes, prophecy was given to fools, and technology prophecy is no different. But there is a certain exception to this rule: In information security, it has been fairly easy to “analyze the future,” as
stated in IDC’s tagline.

Traditionally, information security has been reactive and lagging behind innovation trends. First there was the Internet...and then came the firewall. First there was the smartphone...and then mobile security. A few years ago, I participated in a panel discussion where I was asked about, well, the next big thing in information security. So I took a deep breath, counted to ten and blurted out “IoT security,” because it was the very early days of IoT. Months later, IoT became one of the hottest areas for security startups.

Have I mentioned that prophecy was given to fools?

Catching up is not enough

Since then, it seems that information security has been catching up. Autonomous vehicles were little more than a concept when startups began developing solutions to protect self-driving cars against hacking. Serverless computing is still in its infancy but serverless security companies are already being acquired.

As the hype cycle for emerging technologies gets shorter, the information security industry is indeed responding faster than ever to trends. However, as the pace of innovation continues to accelerate, it might not be enough.

Across all industries, organizations are digitizing every part of their business as they realize that embracing technology innovation on a regular basis is essential for remaining competitive. To support this effort, they need IT environments that are flexible and scalable enough to incorporate change, usually by leveraging cloud, mobility, Big Data analytics and other enabling technologies.

The downside is that these IT environments tend to become unmanageable and unpredictable with complex interdependencies between an ever-growing number of moving parts and multiple human-to-machine and machine-to-machine interactions happening simultaneously. Hence, adaptability can only be achieved by automating key processes relating to managing and securing IT infrastructures and operations.

Trading off control for adaptability

In other words, to achieve adaptability we must relinquish at least some control. This trade-off might not be straightforward. When it comes to security, organizations are typically reluctant to rely on automation. This is why security systems are so often switched from prevention mode to detection-only. But with so many changes to manage, there is no other way.

The need for security automation is particularly salient in processes such as defining and updating access policies and permissions. In dynamic cloud environments, these processes cannot be done manually at scale as the need for frequent human involvement may cripple the ability to change and adjust on-demand, which is one of the primary drivers for cloud adoption.

Automation doesn’t mean compromising on the level of security. On the contrary, it could reduce the chance of incidents due to manual human error in the configuration of accounts and definition of access rights and privileges.

With security operations, automation is nothing new. So far, however, it has centered on optimizing the handling of alerts, events, incidents, etc. The first line of defense – controlling access to data and resources – remained largely a manually-intensive task, mainly due to the lack of adequate solutions to centrally manage access across heterogeneous IT environments, and hybrid and multi-cloud infrastructures in particular.

As much as automation is required to streamline access management, it must be implemented carefully and gradually. Processes should be automated only after establishing continuous, contextual understanding of users, systems, services and the data that is being accessed and used. We must also be able to analyze and categorize the interactions between multiple entities (humans and machines alike) by level of potential risk and adjust security policies and controls accordingly. This way, we could use automation only in risk-free situations, which could significantly reduce the amount of manual access decisions.

Although there are significant technology challenges to address, information security must evolve to be more deeply integrated into everyday processes through intelligent automation. Eventually, it must be as adaptable as the IT environment it needs to protect.

Dan Yachin is an independent market strategy consultant and IT Analyst, and former head of Emerging Technologies at IDC.