As the app economy continues to drive change in IT security, businesses struggle to meet customer demands while keeping their data secure.
Strong security is essential in an application-centric world, but new research shows businesses are sacrificing security in order to improve speed-to-market for their app offerings.
This was one of the findings discovered in a new report, “The Security Imperative: Driving Business Growth In The App Economy,” conducted by Coleman Parkes and commissioned by CA Technologies.
Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance.
Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster.
This is a tremendous risk. Managing user identities across thousands of apps, systems, devices, and platforms requires organizations to increase the complexity of their security practices, not cut corners.
The app economy is creating new cybersecurity challenges for IT leaders operating in a multi-channel, multi-platform world. Customers expect rapid and secure experiences from any device, and will take their business elsewhere if security is burdensome or data is jeopardized.
The rise of mobile and cloud has opened up new opportunities to drive the app economy, explains Nick Nikols, SVP and CTO for cybersecurity at CA Technologies. However, it also changes the security dynamic. What happens to traditional security approaches, like hiding behind a firewall, when data can be located anywhere?
“How do you secure something that is much more ‘out there,’ and not entirely under your control as much as it once was?” says Nikols of protecting cloud-based data. When information can be stored anywhere, businesses can’t rely on traditional approaches to security.
It’s time for businesses to think outside these approaches as they pursue new opportunities in this environment.
“You can’t define a rigid perimeter and put defenses outside the perimeter,” he continues. “You can’t think of everyone on the outside as being bad and everyone on the inside as being good.”
This is where identity-centric security comes into play. “We need something in addition to network security and endpoint security,” says Nikols. “We need a more logical understanding of the nature of the [user] relationship.”
The identity-centric approach uses behavioral analytics and predictive strategies to ensure identities are valid without sacrificing the customer experience. It’s a more dynamic approach to security, Nikols explains. Risk is assessed via user behavior, and people may be asked for additional proof of ID to ensure they are who they claim to be.
However, he notes it’s difficult to improve app security when the competition to deliver is fierce. “People are starting to recognize the need [for greater security], but we’re quick to move to delivering new services and treat security as an afterthought,” Nikols says.
As the app economy and its related challenges continue to evolve, how can businesses boost security while maintaining a strong customer or user experience?
Nikols advises creating a closer relationship between the DevOps and security teams so security is integrated into the development process and not tacked onto the end. If the security team is solely focused on hardening the perimeter or checking for vulnerabilities, their skills aren’t being used to integrate security into the app.
If the security team isn’t part of the development process, he continues, the overall rollout is delayed or the app is exposed to greater risk. Refusing to bring the two teams together will cause challenges.
“If we make [security] part and parcel of the DevOps process, it can help to actually save time,” he says. “The app will be secure from the get-go, and you won’t have to spend time securing an app you already built.”
Many businesses have begun to use external business metrics to measure the effectiveness of IT security. These include factors like employee productivity, employee recruitment and retention, competitive differentiation, digital reach, and business growth.