Data security has emerged as not only the top technology story of the year, but the dominant business lead, online and off. And it’s no surprise. In 2014, businesses sunk roughly $71 billion into the purchase and deployment of security solutions. That number is expected to grow another 8% this year to a whopping $77 billion. With that level of spending, we should have something pretty spectacular to show for it.
Unfortunately, recent headlines tell a different story. There’s a growing list of companies, people and even nations suffering the loss of private, confidential and ultimately valuable information. With so much attention and investment, why are attacks only increasing in severity and frequency?
It’s the pace and structure of modern business that has stretched traditional security measures past their breaking point. Information flows freely across devices and the cloud. Individual contributors have access to data previously only visible to executives. Competitiveness is measured not by economies of scale, but by the ability to understand and act on data. And customers expect a level of service tailored to their individual needs. In this environment, it’s impossible to plug every gap in the perimeter. It’s not feasible to manage every device. We need a new approach.
The good news is that we’re seeing change start to take hold. President Obama is taking cybersecurity into his own hands. Venture capital firms are investing heavily in security startups that are approaching the problem from new angles. It’s still too early to predict the winners, but if we’re going to protect our most valuable information, we need to start by recognizing four fundamental realities about security and work backwards from there.
1. There Is No Perimeter
Every time sensitive data is exposed, the hunt begins to find the gap in the fence and fill it quickly. Ten years ago, this was an appropriate response. But today, businesses of all sizes are built on services deployed in the cloud and accessed on mobile devices. That need to engage customers on their terms, to instantly react to trends and to keep large organizations running as nimbly as a startup, has made the cloud the default operating system for the enterprise. And as a result, trying to confine information to a well-defined perimeter is an exercise in futility.
A corollary to this is that we cannot assume control over specific endpoints. Great pains were taken to ensure only trusted individuals had access to Quentin Tarantino’s “Hateful Eight” script, yet it still leaked. This happens time and time again because even on a “managed device” there are gaps in the traceability of data, magnifying the risk of an individual copying data and sending it via personal email or some anonymous sharing site.
There must be an entirely new approach that makes the fundamental leap of logic that no matter how hard you try, data and bits will escape – and they probably already have. This doesn’t mean we need to accept defeat and live in fear. It means we need to get out of the mindset that data escaping is a bad thing and embrace that information will travel everywhere.
2. Security Is A Bottom-Up Problem
Before software started eating the world, employees had no choice but to accept whatever applications IT frankensteined together, but we all know that world is long gone.
In an era of continuous productivity, employees choose the tools that best fit them. Most of the time, we make responsible choices, but the possibility that sensitive data could leave the control of the organization, with no protection or monitoring terrifies IT. And that fear has crept into the boardroom. Rather than demonize careless employees, or try to force usage of a sanctioned set of applications, we must accept that our most creative teammates will inevitably find the path of least resistance and meet them there. It’s our role to make data protection as simple and easy as the solutions they bring to the office.
This isn’t about tacking on another archaic solution and demanding people switch behaviors, it means finding solutions that work invisibly within existing sharing and collaboration services.
3. Above All Else, Protect the Data
In a world with no walls and no endpoints, where people are empowered to choose, what are technologists to do? We must accept that data will inevitably travel beyond our direct control. Like getting breached, it’s not a question of “if” but “when, for everyone. It’s a big shift, but once made, tackling security in the modern world becomes drastically easier.
In the new model, security and policy attach to the data itself and travel wherever it goes, eliminating the risk of data falling into the wrong hands. When perimeter and endpoints are irrelevant and we expect information to leak, governing the relationship between people and disparate pieces of data – and controlling rights within this relationship in real-time – is the new ruling system for protecting information.
4. Every Company Must Become A Security Company
It also means every company must become a security company. In 2013, IBM reported that 90% of the world’s data was created over the last two years. Fast forward two years, we’re struggling with the challenges of protecting a tsunami of virtual information. What’s more, it’s this data that’s proving increasingly critical to nearly every business function and strategy – marketing, advertising, operations, retail performance, supply chain management and beyond. It’s become so fundamentally critical to every business function across industries that data has taken on a different form entirely. While it once brought to mind images of coded numbers in databases, today data is almost human – an integrated picture of our finances, relationships, as well as thoughts and feelings. Both businesses and individuals have no choice but to intelligently secure it.
With this shift underway, I believe that security will boldly establish itself as a critical driver of business success in the years to come. Only then will security transition from the shadows as a volatile and daunting cleaver, to a freeing force for efficiency, ubiquitous information sharing and smarter business decisions.