Security in the Application EconomyCA's Steve Firestone on How to Be a Business Enabler
In an application-driven economy, security is not just about deploying controls for protection. It's about being a business enabler, says Steve Firestone, general manager of the security business at CA Technologies.
Mobility is a great example, Firestone says. BYOD clearly impacts security practices and policies that relate to customers and employees.
"Many Indian enterprises open access to APIs (application programming interfaces) externally. However, security practitioners are way ahead when rating the importance of securing APIs," Firestone says.
Organizations are adopting a new approach to security, he says, since it's not about protection alone, but also enablement.
"Business enablement has made organizations realize they must increase investment in security," Firestone says. "The current priority is to increase IT spending. Security spending among Indian organizations is 20 percent of the IT budget, estimated to reach 28 percent in the next three years."
In this interview with Information Security Media Group, Firestone talks of the challenges of the application economy. He refers to a study about the business growth opportunities CISOs can find with the increased use of APIs and BYOD. He also discusses:
- The impact of apps on security practices;
- Security as an enabler and protector;
- The increase in security spending.
Firestone leads the identity and access management business unit at CA Technologies and is responsible for ensuring the company's products, services and partnerships protect and enable customers' businesses. He has led some of its most innovative solutions in various business units, including CA Unicenter, growing it to revenue of more than $2 billion. Firestone's security background includes leading roles in engineering, innovation, early adopters and customer partnerships.
Application Economy and Security
GEETHA NANDIKOTKUR: Can you elaborate on the importance of application economy and its impact on enterprise security?
STEVE FIRESTONE: App economy refers to the economic activity surrounding mobile applications. Mobility, influx of mobile apps, leveraging SaaS model and social media and APIs are its key drivers. Its impact is felt more intensely by the top management, since the disruptions it's brought in affect organizations in very fundamental ways, and the top management is ultimately responsible for the company's strategic direction. Line of Business (LOB) executives in particular feel the pressure.
Indian organizations are under pressure to deliver frictionless, positive customer experience to achieve business growth.
Mobility is impacting security practices and policies. For customers, the impact is likely the need to support a broader scope of devices, develop secure apps and simply offer the mobile option. For employees, the impact is similar: growing the capability of the workforce to do their jobs via the mobile channel - providing the apps they need and ensuring they are secure.
In our recent study, 8 Steps to Modernize Security for the Application Economy, conducted among top security practitioners, about 55 percent of CISOs said mobility impacted their security practices for customers. As BYOD makes major inroads, securing enterprises tops the list. About the same percentage (53%) said mobility impacted practices for employees, too.
A key observation was that security's critical in the application economy; it's the second biggest obstacle to success, after budgeting.
New Approach to Security
NANDIKOTKUR: The application economy is forcing security leaders to take a new approach to security. Can you provide some insights?
FIRESTONE: Organizations are adopting a new approach to security, since it's not about protection alone, but also enablement. Increasing access to the Web, mobile apps, smart devices and the cloud have created the new 'open' enterprise. APIs form its foundation, allowing enterprises to reuse their existing information assets across organizational boundaries - creating security challenges of balancing business enablement and protection. Businesses are considering increasing investment in security for better productivity and flexibility. We found that 74 percent open access to their APIs to customers, partners or suppliers. In India, it's 65 percent, the second lowest in countries across the region.
Another approach is to see increased investment in security following mega breaches in the recent past - 85 percent of Indian practitioners saw or expect to see increased revenue from this.
Top Security Priorities
NANDIKOTKUR: What should be the top priorities from a security standpoint?
FIRESTONE: Business enablement has made organizations realize they must increase investment in security. The current priority I can think of is to increase IT spending. Security spending among Indian organizations is 20 percent of the IT budget, estimated to reach 28 percent in the next three years. The priority seems to be increasing user productivity and business flexibility from improved security. Our study highlighted (and I agree) the top security priorities - to protect against data breaches, improve mobile customer experience, improve/support compliance audit, security of APIs and ensuring security for cloud applications and data, among others. The biggest spend is coming from financial services and banking.
NANDIKOTKUR: What are the best ways to stay safe in an application economy?
FIRESTONE: APIs help drive the app economy, helping deliver apps more quickly to market, but they must be secured as they expose data to internal and external developers. And identities are the foundation that enable these apps to be used securely and conveniently. Let's start by looking at the kind of data we allow outside of our enterprise (banking, health, travel) and look at it from end to end.
When defending against external attackers, you must apply this end-to-end approach. From the outside-in, you must secure access to the mobile device itself, as well as the data it can access.
Then, you must strongly authenticate users when they access particularly sensitive data.
You must control access to Web apps and APIs. As users move between accessing their data on their mobile device, watch, laptop and different Web applications they must do that seamlessly, without thinking where the app is deployed.
Finally, there are vast quantities of highly sensitive data on back-end systems - much of it subject to regulations. Organizations must secure privileged identities to protect them from being breached by outside attackers, and ensure accountability among its own IT administrators.