Can IT security solutions really be agile? And can the conflicting goals between user-friendliness and attack protection be reconciled reliably? Our security expert Roman Hugelshofer offers some answers. His response: Yes, it’s possible – and more necessary than ever before.
From your perspective as a security expert, besides the generally understood security issues what are the main challenges that companies face today?
Let’s start with the good news. IT security topics are now on the agenda at the management level. Many companies have created specialized roles and departments over recent years, which often report directly to the management. But there’s a buzzword that occupies IT managers today more than ever before: agility. Nowadays, companies have to respond faster to new requirements – whether this is due to new threats or new business initiatives. How fast this response sometimes has to be has become clear in recent months in particular.
Are you referring to the coronavirus pandemic which has given digitalization new momentum?
Yes, COVID-19 has sped up a trend which companies have been dealing with for a while now: digital transformation. The depth of this transformation has become especially apparent. This is because during the lockdown, it wasn’t just necessary to move meetings to video platforms. It also called for a new way of working in distributed teams and the possibility of working from home. As a result, this also affected fundamental aspects of IT infrastructure, particularly in terms of security.
Can you give a specific example?
Many of our customers operate in the financial or insurance sector – both industries where security and compliance standards are very important. When the employees of a private bank work from home, they shouldn’t simply be able to send customer data over WhatsApp. This makes secure and reliable tools necessary, so staff can access their workspace at all times – but safely and with protection from external attacks.
Modern IT security should be an enabler of digitalization.
Roman Hugelsdorfer, Managing Director Application Security
That sounds fascinating; you are referring to new possibilities of virtual collaboration.
They are not completely new, but it was often the case that VPNs (virtual private networks), for example, had too few protections, particularly with respect to authentication. The basic problem is that not only employees like the option of working from home, but also hackers of course. This is a problem that is still underestimated.
Can you provide figures that show the extent of this challenge?
62 percent of companies have concerns regarding application security and 43% have already experienced successful attacks against their applications. Moreover, the 2020 Cyber Security Study by Ergon Informatik AG and IDG Research clearly showed that 86 percent of companies have been affected by cyber attacks and more than 50% of companies suffered economic damages due to these attacks. It’s important to be aware what economic damages can mean today – especially in connection with the Internet of Things (IoT) and the potential interference with entire production processes. Or the theft of personal data which represents a major risk, not only in the financial sector but also for insurers, the healthcare sector, public services and other data-driven industries.
There is now a veritable hype in digitalization. Is IT security just a buzz killer that only sees the risks but no opportunities?
We are primarily the ones who look with both eyes – and not from behind rose-tinted spectacles (laughs). But seriously, modern IT security should be an enabler of digitalization. With a certain degree of pride, I can say that with our solutions we have helped many of our customers reach this status.
Can you explain this further?
Let’s consider the example of payment transactions. Today, we are used to carrying out banking online. But before we do so, we go through a security check and authenticate our identities – ideally without a password using fingerprint or facial recognition, or even without physical contact. For the user, this process takes place almost unwittingly. And precisely this seamless yet secure customer experience is required nowadays.
Is the modern customer spoilt?
Actually, they are digitally savvy and expect straightforward processes. On the one hand, because upstream integrated security systems enable the user experience that digital natives have become used to. On the other, because the image of IT security has radically changed in the last few years.
To what extent?
In the past, IT security was seen as a grim sentry who would stare at every newcomer with wicked eyes and would prefer to scare them away. But today? Today, we have become the concierge at the welcome desk – constantly thinking of optimal security but always friendly and accommodating. There are good reasons for this behavior.
What reasons are these?
Above all, the expectations of customers. You have to keep in mind that digital natives now already account for the majority of the Swiss population. They have completely different expectations than digital immigrants when it comes to speed, the availability of services and an intuitive user experience. Interestingly, these expectations are not only limited to consumers but also businesses.
Does that mean that security processes also need to leverage gamification elements in the business sector?
I wouldn’t go that far. But allow me to mention two concrete examples. For a financial institution switching to working from home, not only is secure data access important but also how the employees can interact with the virtual platform. Until recently, this was only possible with passwords and hardware tokens. That can be tedious, costly and prone to errors. But when seamless authentication is possible – with single sign-on and password-free two-factor authentication – this process becomes both convenient and highly secure.
And the other example?
Consider another customer of ours operating in the industrial sector, worldwide and with several thousand employees. This tech company offers digital access to maintenance services, in the form of predictive maintenance connected to the cloud and IoT infrastructure. Here, the target of hacker attacks is clear: not yet registered patents, business secrets and important project information – the crown jewels of any business. Nonetheless, the customer platform should enable easy access – in Bern, Boston as well as Bangkok. Straight away, we see a typical case of conflicting goals between security and user-friendliness.
How is this conflict resolved?
With upstream security solutions. Despite more and more complex IT architecture, this approach not only enables a consistent user experience but also high cost efficiency and a fast time-to-market for new business services.
The challenge is therefore combining the best of both worlds.
Roman Hugelsdorfer, Managing Director Application Security
Upstream solutions sound compelling. But what challenges should companies expect in their implementation?
Many IT systems are based on a monolithic structure with large applications, which although very powerful can also be very cumbersome. For this reason, more and more microservices have emerged in recent years, where the typically complex application software is composed from independent processes. The major challenge is that the “old” world of monolithic applications is still present, and this is not likely to change in the coming years. After all, the existing systems have established themselves and are associated with considerable investments. So, the challenge is combining the best of both worlds: the old world of big, sluggish silos and the new world with its short DevOps cycles, agile innovation processes and fast time-to-market.
Are there any more arguments for an integrated holistic solution?
Yes, of course – from simple registration processes and simplified central compliance management to fast business development processes. But I’d like to emphasize one particular point.
And that is?
Companies will find it increasingly difficult to be successful by going it alone. An interconnected world means that we also think in networked ecosystems when it comes to digitalization. As a result, the ability to integrate third-party services will become a key success factor in the future. A seamless innovation capacity is therefore indispensable – especially in terms of security. And here we come full circle: It is precisely for this reason that an upstream IT security solution pays off.