When talking to enterprise and government customers, security of their hosted applications is never far from the top of the list of priorities. It doesn't make sense to run a workload in a hosted or cloud model if you can't trust the service provider to reliably mitigate risk.
Many customers face regulatory requirements that tie their operational models to one or more compliance standards, such as Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Processing Standards (FIPS). However, as any chief security officer would point out - there is more to security than a standardized checklist, and there is more to risk management than industry-wide consistency. Each application possesses a different risk profile, and the manner in which risks are mitigated may depend on a wide range of variables. Of paramount importance in any information security architecture is the quality of information, the depth of control, and the ability to respond to changes in the environment.
It is possible to be "compliant" while not necessarily being "secure." The reason for this is that threats and risks are continually changing, and any interval-based compliance regime has an ambient level of bureaucracy that can only respond so quickly. There is an emerging debate across the ICT landscape, especially when focused on critical industries such as government, finance and energy, around whether regulatory standards are the best answer for mitigating risk.
On one side is the desire for clarity and "industry standards," which give all players a sense of order and consistency. Procedural discipline, documentation and knowledge of the standards all become vitally important. On the other hand, where rapidly emerging threats require supreme adaptability, the most important currency is information. Knowing where attacks are coming from, as they say, is half the battle.
In some respects, this is a false debate - enterprise-class organizations require equal measures of discipline and agility to successfully negotiate the risk landscape. However, when considering broad cybersecurity legislation, politicians and regulators tend to rely more on the former than the latter.
This debate was highlighted during the March 7 House Committee on Energy & Commerce's Communications and Technology Hearing on Capitol Hill in Washington, D.C. CenturyLink senior leaders were vital contributors to the discourse, highlighting the need for government to not simply pass down bureaucratic regulation, but also partner with key stakeholders in the industry to pass along threat intelligence in an organized and actionable format. Our chief security officer, David Mahon, testified that while the global cybersecurity threat is "real and serious," integrated communications providers like Savvis and CenturyLink play an important role in the cybersecurity ecosystem.
Mr. Mahon's opening statement can be viewed here:
It's interesting to think about how traditional telecommunications companies are well-positioned to address both sides of the aforementioned debate. We have the operational discipline to address compliance obligations, while we have end-to-end visibility of network traffic that allows us to act on late-breaking information before it reaches a data center or network endpoint.
David Shacochis is vice president, global public sector, at Savvis.