Over the last few weeks, we’ve been collecting your thoughts on the challenges you face when talking to colleagues on the business side of your organisation on the subject of software-defined network virtualization and security.
From the biggest challenges with data breaches and the most unrealistic inbound requests to tackle them, to the finest analogies or fool proof language used to explain security scenarios, you’ve shared the best and worst cases you and your IT teams have battled with to help the wider business make sense of issues relating to network security.
After analysing your responses, we’ve been able to paint what we think is an invaluable picture of the struggles to convey this issue internally, despite the fact cybersecurity has risen to the mainstream media agenda. With applications and user data active on more devices in more locations than ever, it’s clear that many business leaders are overestimating how effective their investments in cyber security are. For instance, continual headlines of high-profile data breaches suggest existing approaches are failing to protect businesses, despite significant investment in this area. In order to protect this data, the business’ brand and ultimately customer trust, there is a need for more transparency through a ‘built-in’ security architecture approach and strategy that everyone in the business can understand.
We’ve used many of your insights to create a series of light-hearted comic strips that shine a new light on the difficulties and cultural challenge of enabling IT and the business to connect with each other through a mutually understood language. Keep an eye out for the full series appearing on our Twitter feed over the coming weeks.
Making the wider business aware of security challenges is a major struggle
87% of you that joined in on our poll agreed that you struggled to make the wider business aware of security challenges, with a third of you strongly agreeing with the statement.
Furthermore, you see the greatest challenges in making the business aware of the security risks the organisation faces as, “Business doesn’t understand the security terminology”, “Business doesn’t take the threats IT is raising seriously” and “Security isn’t deemed a key business priority for the organisation”.
Interestingly, these findings were echoed in our global study on security with The Economist Intelligence Unit, where only five percent of non-security C-Suite executives surveyed considered cyber security to be their highest priority initiative. A picture is emerging of CEOs possibly burying their heads in the sand, despite glaring indicators to shape up and take action.
IT’s explanations of technical terms vary greatly – and it’s hampering the wider business’ understanding
Your plain-English descriptions of a number of technical terms generated a wide range of responses. ‘Data breach mitigation’, for example was described as ‘Managing the security of the hardware and the software’ along with the snappier ‘un-disaster’, while interpretations of ‘Business continuity’ ranged from ‘coping with a major outage’ to ‘only the mission matters’.
With such a diverse number of interpretations and explanations of technical security terms, communicating them in a single, straightforward language that allows the wider business to understand their implications is a huge challenge. This is true of the vast majority of tangible actions, but you highlighted a few in particular as being especially difficult.
These included the importance of security controls inside the perimeter of the data center; the necessary measures employees have to take following a data breach; ensuring employees update the device they use to access company data; and communicating to staff the growing sophistication of targeted attacks and breaches and the impact they can have. The fact that these include critical matters that should be understood as a matter of course is particularly striking, and suggests an even greater need for regular, back-to-basics security training throughout the business.
Micro-segmenting understanding of micro-segmentation
One technical term that we saw repeatedly inspire the broadest range of straight-talking explanations is micro-segmentation, which (broadly speaking) enables the deployment of granular security controls to every virtual machine in the data center – or in other ways has security baked in to the network and the application rather than the perimeter. When asked to indicate which language they’d used to explain the importance of this technology to the wider business, respondents to our survey opted for ‘Giving visibility of data breaches, instantly’, ‘The ability to prevent the spread of lateral attacks within the organisation’ and ‘The ability for security administrators to defend against breaches’, suggesting a lack of a single explanation that encompasses all of the benefits of adopting this approach. Perhaps surprisingly, ‘automation of security policy management’ did not come higher, given that it can be a key requirement for organisations running a large firewall infrastructure.
Beyond this, when asked to share the best way you had ever heard micro-segmentation described, suggestions ranged from the almost philosophic ‘The smallest detail missed is the most important one’ to the clear, straight-to-the-matter ‘It’s like having a firewall on every VM interface’.
So, how can micro-segmentation best be explained? We asked Andy Kennedy, our SE Manager and Field CTO, to share the best analogy he’s come across in his many conversations around the subject.
By looking at a data center as a form of prison, with gates and x-ray machines to keep ‘the bad stuff’ out. A data center has perimeter defences such as next-generation firewalls (a little like the gates and x-ray machines). Unfortunately, in both the real and virtual examples, we know that these do not keep all of the bad stuff out (e.g. mobile phones, drugs in prisons and ransomware, malware in data centres).
Prisons have wings/blocks where different types of prisoner (high-risk, general population) can be separated, but are free to roam within the wing and can lead to problems if a disturbance arises. The same is true with a data center. We typically separate this into trust zones, ‘demilitarised’ zones and untrust zones. Again, traffic is free to go anywhere within that zone, but doesn’t really stop an issue when a breach occurs. There is then a micro level of segmentation. In a prison, this is a cell with a single door but there are controls (e.g. the bars) to control what goes in and out of. This also follows with our data center analogy, except in this case instead of a cell we have a VM. Each and every interface on that VM has its own set of controls (a firewall policy) to provide fine grained management of traffic.
This can also be taken one step further. Imagine if you could record every audio conversation and monitor video links within every cell of a prison, providing the highest level of visibility and defence possible. In a data center with micro-segmentation, we can do the same whereby NSX technology partners can use a technique known as introspection to monitor each and every packet or process inside a VM.
Your views on this subject demonstrate that there is a tremendous opportunity for businesses to revaluate how security issues are valued and communicated within the organisation, but with IT practitioners struggling to get the business to understand security, it’s little wonder warnings have been falling on deaf ears so far.
In order to reach this level of straight talk a new approach is required. It’s time to ditch the heavy tech talk and simplify security policy language. By implementing a software-defined approach that can enable built-in security architecture and provide a more systemic and speedier approach to preventing, detecting, and responding to cyber attacks , data center networking can be transformed to become crystal-clear to everyone in the business, making a new level of security possible. That’s why savvy IT leaders are investing in network virtualization.