Source: Mark Chaplin, Principal, ISF
11 Apr 2019
What does your organisation’s technology landscape look like, and is it secure?
At a recent workshop with security professionals, we explored the reality and risks of the technology landscape upon which many leading organisations are so dependent. The technical infrastructure, that has evolved over multiple decades, introduces different challenges, which are often unique to each organisation. This situation is compounded as organisations continue to look for, and adopt, the next ‘must have’ technology.
A common term heard when discussing legacy systems is “if it aint broke don’t fix it.” This philosophy has served organisations well for many years, but the circumstances have now changed. This has forced technologists to revisit business requirements and challenge assumptions about the value delivered by legacy systems. Against a backdrop of increased business pressure to connect, interrogate and control these elderly systems, obsolescence represents a real risk to the organisation.
Technologists already struggling with the limitations of legacy systems, say their deployments are ‘sticky’, making it difficult to ‘retire’ them. This results in challenges, such as inability to implement basic security measures, lack of technical support and parts, loss of expertise (often as a result of attrition) and difficulty understanding the degree of interdependency with other systems.
“We continue to run several legacy systems, each with one active user account, in case a department head requests the need to use them.” – CISO.
Even legacy systems can vary, with many security professionals highlighting a marked difference between legacy systems deployed in the 1970 and 1980s (typically mainframes) and the legacy systems deployed in the era of Microsoft Windows 95/98, NT and Win2K, at the turn of the century.
“We need to continue running 8-bit based MS-DOS laptops because 16-bit emulators do not work with operational equipment.” – CISO.
For technology being deployed today, failure to realise the benefits that were promised in business cases remains a headache for many IT and security functions. This is because late delivery and poor implementation of technology projects can erode the trust and credibility that is so important for a close working relationship between these functions and business leaders.
Security professionals are faced with a growing list of risk factors that influence the success of digital transformation today, including:
- lack of a common, clear and integrated security architecture
- high levels of shadow IT in use throughout the organisation
- unclear and inconsistent security standards and frameworks
- increasing and more stringent legal, regulatory and industry obligations
- backward compatibility and interoperability issues
- broken security controls due to changes in the infrastructure.
It is the advanced technologies and security solutions that continue to attract the attention of security practitioners and dominate the conversation. This is often in the hope that they will prove to be the ‘holy grail’ that solves a significant proportion of tomorrow’s security challenges. No gathering of security professionals can be held without experiencing an enthusiastic debate on the security implications of 5G, AI, AR, blockchain, robotics, IoT or quantum computing.
Uncertainty regarding the successful delivery and protection of these, and equally new, technologies extends to the:
- way the future threat landscape for all organisations will unfold
- environments in which business will operate in the future
- technical infrastructure on which they will depend.
With history dictating that future generations of technology will lack important security capabilities, security professionals share concerns about the implications of integrating and combining new technologies with those already operational within the organisation.
Both technology and security functions find themselves stretched as they try to manage the increasing risks to legacy systems, protect current technical infrastructure from cyber threats and meet business expectations when deploying new technology.
To maintain a resilient and secure technical infrastructure, which might be as old as 50 years, organisations need to apply a coordinated approach to ensure the most appropriate security controls are deployed, threats are mitigated and risks remain within acceptable limits.
6 Recommendations to get started with protecting yesterday’s, today’s and tomorrow’s technology
- Explain to business leaders and information owners how diversity and scale of the organisation’s technology landscape influences risk to the business.
- Increase visibility of the complete technology landscape, but accept that you will never see 100%.
- Tailor the organisation’s security architecture, standards and solutions to meet the security requirements of all technology (old and new) and apply protection using a principles-based approach.
- Establish a formal method for obtaining and exchanging skills and knowledge between technical staff and engineers responsible for protecting legacy systems through to emerging technologies. This will ensure that everyone learns from previous successes and failures.
- Establish a ‘technology watch’ capability to identify important trends relating to old, new and emerging technology.
- Incorporate, into future technology and security strategies, decommissioning of legacy systems, migration of current technologies and preparation for adopting new disruptive technologies.
The Information Security Forum provides a range of guidance and best practice for effective risk management, protection of technology and planning for future threat scenarios. Examples include:
- Securing Industrial Control Systems
- The Standard of Good Practice for Information Security 2018
- Security Architecture
- Threat Horizon 2021