Mike Baker is the Founder and Principal at Mosaic451.
Magic is awesome at carnivals, and it most certainly got young wizard Harry Potter out of a few jams, but when magic is used with the hope that it will suddenly make your firm more secure – it simply does not work.
Magic is that intoxicating lure to a quick technological fix with blindside thinking that technology alone will keep the hackers at bay. Data centers are under constant pressure to safeguard assets, however, too many firms focus on security for the purpose of being in compliance. For example, the energy industry has secrets to protect, and there are huge regulatory burdens from the NERC (North American Electric Reliability Corporation), which maintains a set of cybersecurity standards for Critical Infrastructure Protection (CIP).
Cybersecurity has vaulted to the forefront of concerns for many businesses, yet fewer than one-third, whether it is energy, healthcare, finance or government agencies, say they’re prepared to meet the growing threat of an attack. Using the energy industry as an example, “We are seeing an industry that is actively moving forward with the deployment of comprehensive asset protection plans following several high-profile cyber and physical threat events,” according to an industry report from consulting firm Black & Veatch titled 2014 Strategic Directions: U.S. Electric Industry. However, only 32 percent of electric utilities surveyed for the report had integrated security systems with the “proper segmentation, monitoring and redundancies” needed for cyberthreat protection. Another 48 percent said they did not.
In 2013, a hacker compromised a U.S. Army database that held sensitive information about vulnerabilities in U.S. dams. In 2014, it was reported that Nuclear Regulatory Commission (NEC) computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation.
The question is not “if” a cyberattack will happen but “when”. An even more important question is: Are we using the right approach to protect assets?
The Technology Disconnect
Compliance is a necessity and critically important, but here’s the big disconnect. Organizations should be devoting more resources to security for availability and for confidentiality. Do most corporations even want to be in the security business? No, but they must be because of the assets they hold.
Organizations fall short and expose themselves to cyberattacks when they over-rely on “magic and widgets”. Most companies, if they have funds, will buy the widget because something must be made to work to comply with the latest regulations. Spending millions on the latest technology might seem useful, but it is effectively useless.
Many organizations check boxes on the compliance checklist rather than look at the operations as a critical network and seek ways to defend it. They need to stop checking boxes. It is not because organizations are lazy, they just rely on magic. There is a very human desire to buy something tangible. Technology alone often attracts people who want to avoid responsibility. The magical widget means they don’t have to learn anything. It’s the short-term, easy fix.
For any organization serious about protecting assets, the brightest minds must be deployed, and the toolset utilized is secondary to the core intellectual capital that must be developed. This is where Managed Services Providers (MSPs) come into play.
Is Your MSP Just “Mailing It In?”
Buying an “intelligent human network” to keep assets secure does not mean doing everything remotely. It’s not a mail-in service. The best MSPs are those with a hybrid approach of remote and onsite engineers. If there aren’t people onsite, they don’t understand how information moves in times of crisis. Nothing can replace face-to-face interaction.
In a traditional Security Operations Center (SOC), the SOC is only responsible for monitoring. A hybrid MSP who employs both technology and an intelligent human network of on-site personnel can monitor and act as a full operations team.
If a company expects to pass the security test, the most effective approach is to form a hybrid MSP team of the most experienced professionals available and empower them with best-in-class technology. Technology, if deployed correctly, is a force multiplier for intelligent human beings.
Threats from hackers and cyberterrorists (both perceived and real), legislative mandates with the promise of fines for non-compliance, and the opportunity to upgrade network infrastructure are all driving compliance in the energy industry. With more and more sophisticated attacks being launched and dedicated to exploiting and compromising SCADA (supervisory control and data acquisition) infrastructure vulnerabilities, it’s more critical than ever to secure and protect networks.
Many industries exist in an environment where threats are both real and virtual; physical damage can be triggered by natural forces or nefarious intent. The best approach is preparedness, but there is not a single solution or magical Patronus Charm. It takes a complex and systematic approach that addresses the physical elements of cybersecurity and the cyber elements of physical asset security which will help organizations be better equipped and educated to manage the full spectrum of attacks every group will undoubtedly face.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.