[BreachExchange] Is It Time to Upgrade the Network?

[Audrey McNeil]

http://www.securityinfowatch.com/article/12352983/is-it-
time-to-upgrade-the-network

While cyber attacks have dominated the news recently, we all know that
physical security is just as critical a component of the security plan.  A
breach in physical security that puts corporate assets at risk will quickly
undo the work done from IT to secure data and IP.  Physical security is a
critical issue in any security strategy but is especially heightened at the
edge (designed to bring computing closer to the end user to reduce
latency).  The edge represents network outposts prone to accidental or
intentional tampering and requires special consideration for monitoring
physical threats.

Smart sensors (enabled by Internet of Things (IoT)), for example, can be
used to sense environmental threats via a text message alarm or email when
temperature rises above an acceptable threshold. Sensors also supply data
that needs to be correlated with other data, analyzed, and acted on.  With
the increased transition to digital formats and the need for digital
transformation in the enterprise, the days of separate networks for
physical and data security are all but gone. Technology innovations that
can meet the needs of the business to digitally transform will require
fundamental changes to networking to truly enable a distributed,
cloud-first, mobile-first business world. Innovation and competitive edge,
not outdated hardware, will be the ultimate drivers in security network
upgrades.

Applications deployed on staff mobile devices are being combined with mass
threat notification systems that specifically target at-risk personnel
based on last known IP address. Once dispatched via analog radios, mobile
guards can be automatically alerted about incidents via smart devices based
on their nearest-location, availability etc.  Once used for basic HVAC and
machine maintenance troubleshooting, heat sensors are increasingly being
used to predict optimal maintenance and end-of-life replacement
initiatives.

These types of transformational scenarios mean security leaders need to
think about IT and physical security more holistically to meet the
performance needs of the business and to protect against threats ranging
from environmental to human.  Leaders considering such innovative solutions
acknowledge that these solutions demand more edge strength, storage, and
processing power that only modern networks best provide.

So how do a CSO and CISO decide that an organization’s network needs to be
upgraded to accommodate increased devices, demand for data insight,
protection of information, and possible intrusion at the edge?

One: Strategic Alignment

The technical path towards meeting company requirements for future growth
and other requirements are of great importance to any technology project.
A company merger or acquisition, for example, will see the number of users,
devices, and servers grow and require additional support for the expanding
network.  Network designers need to meet with business stakeholders and
understand not only their strategic goals but the applications and
scenarios that are needed to outperform the competition.  The story the
business tells in the aggregate represents the holistic picture and
requirements that incremental, IT-driven, bottom-up network upgrade
projects are unlikely to address. The initial network upgrade plan must
anticipate what the company is going to require three to four years from
the completion of implementation to be successful.

Two: Assessment and Baseline Documentation

The CSO and CISO need to establish the baseline network and document the
detailed layout of what is already on site and current conditions of the
network components. This inventory and assessment documents things like
device name, date of purchase, warranty information, location, brand and
model etc. It also should answer questions like; how many users are
currently on the network? How many networking devices are installed in your
network? What functions do they perform? How does the business connect to
the Internet? What is the Internet performance and does the connectivity
need to be upgraded? Does the equipment that provides the connectivity also
need to be upgraded or replaced? What applications does the network
support? What is the current performance when applications, especially
video and voice, are used?

Ultimately, this will be used by the network design team to determine what
new equipment is required to strengthen the network for current and future
needs.

Three: Modeling and Simulation

Required changes can only be determined if, prior to purchase and
deployment, use cases coupled with modeling and simulation of the current
network can show issues that will need to be corrected.

Four: Cost of Downtime

How much reliability can the company afford? Networks impact system
performance, reliability, and scalability. With enough budget allocated the
company can maintain nearly 100 percent uptime with complete redundancy in
all equipment and services, however, this is extremely expensive to
implement and also, highly unlikely.  Networks must be designed to reflect
the real need for uptime, performance, and system reliability.

Five: Project Approach and Risk Mitigation Strategies

Complexity escalates risk.  Breaking down a network upgrade into phases
based on priority, impact, and cost can be considered positive to simplify
the project and address risk.  Fewer requirements and solutions should lead
to a more manageable process. However, a network which is in a constant
state of flux or preparation for the next upgrade can create stakeholder
frustration and stability issues, especially given each network upgrade can
generate cascading issues and require new documentation for network
diagrams etc.

To consider a total evolution of the network environment is not for the
faint of heart. This requires significant planning upfront as well as
budget.  However, it should generate less documentation over time since the
design team won’t have to rework network diagrams each time an incremental
upgrade is made. Also, once the network is up and stable it should require
much less care and nurturing than a network which is constantly evolving.

What is the best scenario?  It depends on how poor the network is, how big
the future growth, and what kind of budget and resources are really
required for a complete remove and replace initiative versus incremental
upgrades over a series of years.

Six: Budget and Resources

Resources and budget are never unlimited.  CISOs and CSOs need to
thoughtfully prepare a realistic, joint budget ask and make the case for
what they will need.

Clearly, the more software or hardware the organization needs to replace
that is not covered by a warranty, or as the number of new network
components that are needed increases, the higher the budget ask.  To
prepare the CFO for upcoming budgets ask, consider using relative sizing
for the initial meeting.  Relative sizing is about comparing different
network upgrade projects and agreeing on which ones are smaller (or larger)
in size, then assign each project a T-shirt size; small, medium, large, or
x-large. At the end of the exercise, all the upgrade projects would have
been classified into the different size buckets and can be assigned
approximate cost ranges and time frames.  They can also be prioritized and
placed into years.

This type of initial budget discussion approach prevents building out
detailed business and technology requirements and obtaining quotes from
vendors just to get directional feedback from the CFO. If the x-large
project with the remove and replace strategy costs between 20 and 30
million dollars over two years and the CFO chokes in the meeting and tells
you that you have twenty-five percent of that budget ask to work with over
three years, you won’t feel as bad or have wasted your time.

Seven: Planning and Project Management

The planning phase is considered the most important phase of any project
because the process produces the project plan, which clearly addresses how
the project team will manage the project elements. This is the document
that should give the joint teams a high level of confidence in the
organization’s ability to meet the scope, timing, cost, and performance
requirements for the network upgrade. Poor up-front project definition and
planning can cause serious problems, such as lack of business support,
missed budgets and deadlines, and reputational loss within the
organization.  Make the decision to upgrade, only if you can allocate
budget or headcount to assigning one or more project managers to the
project.

Summary

The future network requires a bold vision for digital transformation, a
joint approach by the CSO and CISO to solving the problem, and a project
that is backed by investments driven by the business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170815/77ee9df8/attachment.html>