Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.
Resilient – able to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.
Trustworthy – able to credibly demonstrate and document operational transparency, in ways that both create and justify high levels of trust among all stakeholders.
One might even describe such an enterprise as “ART-ful.” If one were prone to such constructions. But I digress.
It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security. Specifically, user-centered security.
What is “user-centered security?” It’s a focus on what users use to do their jobs—applications, information, devices and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important and valuable, you can also protect users from being conduits into the enterprise for malware and other threats. All while keeping critical enterprise resources safe as well.
How to Achieve User-Centered Security
User-centered security is not only desirable, but achievable. Building upon research conducted by elements of the Australian government, the Canadian Cyber Incident Response Center (CCIRC) estimates that up to 85 percent of targeted attacks on IT environments are preventable by four simple steps:
- Application whitelisting;
- Timely application patching;
- Timely operating system patching; and
- Restricting of administrative privileges to those users who really need them.
Unfortunately, such protections are like smarter eating and exercise habits. More of us know what would be best for us to do, but we don’t always do those things.
Take patching. In an April 2015 alert, the US Computer Emergency Readiness Team (US-CERT) identified the “Top 30 Targeted High Risk Vulnerabilities.” The newest of these dates from 2014; the oldest is from 2006. That means that there are patches designed to remediate all 30 vulnerabilities but that many if not most enterprises have not yet installed those patches, for whatever reasons.
The bottom line here is that agility, resilience and trustworthiness are impossible without pervasive, ubiquitous, invisible, user-centered security and that such security begins with comprehensive, timely patching. Agility, resilience and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, starting with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes and services that make agility, resilience, and trustworthiness possible.
To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation that supports the pillars of agility, resilience, and trustworthiness.
Of course, none of these strengths can be achieved or sustained by any processes or technologies alone. As with almost everything else a successful enterprise does, ART is achieved and sustained by people. Specifically, you and your people. In concert with colleagues from across your enterprise. Evolution into an ART-ful enterprise requires leaders, evangelists, champions and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience and trustworthiness—possible.
During the next few weeks, additional posts will dig a bit more deeply into the market forces driving the rise of the ART-ful enterprise and how your enterprise can achieve and sustain agility, resilience, and trustworthiness. Next up: “Your ‘ART-ful’ Enterprise: Agility.” More to come. Meanwhile, as always, your comments, questions, and stories are welcome.