It’s a sliding scale that businesses must adjust so the level of trust is equal to or greater than the risk to the business. If not, the business needs to either adjust trust or risk, he says.
Context is important in determining trust, he says. The machine connecting to a network, who the user is, how the connection is made, the user’s role and where data comes from are all examples of trust attributes that can be weighed in making trust decisions. Identity federation, attribute access control, standards and methodologies for demonstrating trust all contribute to assigning appropriate levels of trust, he says.
This must be balanced with concerns about privacy of personal and corporate data. That can be aided with encryption that is underpinned by blockchain technology like that used to verify Bitcoin transactions. He says startups are working on adapting this to delivering secure transactions and insuring privacy by enabling the sharing of identity attributes without over-exposing them.
Tools that can help include trusted hypervisors and containerization on untrusted devices, filtering with security gateways, and pervasive use of encryption with trusted key management.
IT needs to bridge the gap with software developers to encourage building security into the software development life cycle, Gaehtgens says. “We need to be involved at every phase of SDLC,” he says to encourage use of security APIs in applications and then protect them with API gateways.
Despite the best effort, security will likely be breached and a plan for detecting and quickly responding to these incursions must be in place, Firstbrook says.
Tools to do this include behavior analytics of both users and devices using machine learning to spot changes in behavior that could indicate trouble. Deception tools can trap attackers and reveal their goals, he says.
Businesses need to find security hunters to digest this information to pick up on security incidents quickly, he says. When these are spotted, businesses need to isolate suspect devices and users and put a hold on transactions pending investigation, he says.
A crisis management team that spans legal, HR, IT, PR and business units needs to be created, trained and practiced so it can act quickly together when incidents arise, he says.
Once that is all in place, the plan has to be sold to the board using this template:
- Show the board you understand its business goals and objectives.
- List the risks you can control or manage in order to help meet business goals.
- Specify the technical steps you will take to address risks and meet business goals.
Sign up for CIO Asia eNewsletters.