Three Recommendations to Kickstart Your IT Modernization

It is no secret that the world’s cybersecurity posture is changing. The ways in which we use and interact with technology are different than they were even a few years ago. We have convenience, connectedness, and the promise of even greater breakthroughs on the horizon. As a user this sounds fantastic. As a security professional this sounds like a challenge.

With the proliferation of connected devices, the expansion of cloud computing, the increasing reliance on data-driven technologies, and an emphasis on information sharing, the threat landscape has become much more complex. Organizations are now recognizing the importance of a proactive approach to cybersecurity and understand that ongoing adaptation and innovation are necessary to stay one step ahead of cyberthreats. All of which begs the question: how do we evolve our cybersecurity postures for the modern era, and beyond?

Change is Not Without Costs
New technologies and capabilities need to be supported by their underlying systems and infrastructures. This isn’t news to most of us. Organizations around the world understand that cloud adoption, remote work, the Internet of Things, new regulations, advances in Artificial Intelligence, the looming threat of quantum computers, and so on have changed the game. In today’s environments, it is not enough to simply add extra memory or processing power into our systems. 

Properly integrating new technologies can require significant changes to how things are currently done. Performing these updates is not always straightforward either, as many environments are static and fundamentally difficult to change. The decades-old security models and cryptographic algorithms that have become so deeply ingrained in our technology infrastructures are becoming obsolete. It is now about ensuring that our infrastructures are adaptable enough to remain secure even in the face of new technologies or increasingly capable threat actors. Doing so can take time, planning, and resources. 

Difficulties with Long-Term Plans
A crucial issue is that we need long-term visions for our technology infrastructures, but making long-term plans can be difficult when technological change is rapid or hard to predict. Changes take time and resources to implement, risk must be analyzed, and stakeholders need to be confident that the efforts will be worthwhile. Moreover, many cybersecurity and IT teams are already bogged down in dealing with daily security events, routine maintenance, and keeping their skills up to date. Consequently, resources are stretched, and long-term plans sometimes take a backseat to dealing with the very real issues in front of us here and now.

Three Strategies to Adapt and Overcome

  1. Engage in long-term planning today. We can mitigate the daily risks we will face in the future by engaging in long-term planning today. If we accept that large-scale technological changes will be necessary, then we are better served by framing them as opportunities with advantages — and to prioritize them.
  2. Take things one step at a time. There may need to be significant infrastructure changes, but they don’t need to be done all at once. In fact, it can be better to take a phased, iterative approach to evolving your environments over time. Changes made too quickly can have unforeseen consequences. With a phased approach, lessons learned can be incorporated into the next cycle of the plan, new information can be properly accounted for, priorities can be reassessed, and overall costs and errors can be reduced. 
  3. Work smarter, not harder. Chances are your organization isn’t planning to do one single change. IT modernization isn’t as simple as following one well-defined 10-year plan. There are a lot of moving pieces, different requirements, and different goals. Organizations need to identify these and investigate what benefits can be gained from comparing and strategically aligning different roadmaps. 

Take for example the migrations to zero trust architectures and quantum-safe cryptography. 

Zero trust is the new paradigm in information security. It is the natural evolution of the traditional “castle and moat” design philosophy. As such, it can mean a significant shift in an organization’s information security systems, workflows, policies, etc. A quantum-safe migration requires things such as having conversations with your vendors about their quantum-safe plans, adopting new protocol standards, deciding how to handle legacy devices that cannot be easily migrated, and shifting your information security foundation (i.e., cryptography) to something different than what we have been collectively using for decades. Both migrations are significant, both begin with an accurate inventory of the organization’s cryptographic assets, and both benefit from a phased and iterative migration approach.

Because the zero trust and quantum-safe migrations share so many commonalities, it only makes sense to see where the two roadmaps can work together. U.S. government agencies have already been working toward this issue — for an example, refer to the US’s National Security Memorandum 8.

Instead of doubling your efforts (or worse, having the two migrations work against each other), take a step back, assess your needs, and see how the whole can be made greater than the sum of its parts.