In 10 years at IBM, I’ve been fortunate to have a bird’s eye view of big changes across the security industry. I have helped massive enterprises and small organizations build out their defenses against all sorts of changing threats. Here are 10 simple cybersecurity lessons I’ve learned in the past decade.
10 Cybersecurity Lessons From an IT Expert
1. Don’t Forget the Basics
The Australian Department of Defence is respected in security circles for its list of 30 strategies to mitigate targeted attacks. Right up there at the top is simple stuff, such as patching operating systems and applications and locking down admin accounts. You have to think about basic security hygiene first and foremost. This is the foundation of a strong security program — everything else is built on top.
2. Security Is About Much More Than Malware
Our industry and the public are fixated on advanced threats, but equally important is the less sexy stuff, like managing credentials and access policies with employees and partners in your supply chain. You need a clear understanding of what people, based on their roles, should have access to certain assets and data.
And don’t forget application security. If you are writing web or mobile apps for clients and customers, securing them takes a lot of discipline. Getting it wrong opens more doors to attackers.
3. Technology Is Only One Part of Security
Being tech-oriented, security professionals often obsess about the next great product or startup that will solve their problems. Most security problems, however, are people or process problems. Security must be embedded throughout the corporate culture. Employees need to understand just why security is vital to the organization and their specific roles in promoting it.
4. Security Is a Team Sport
Early on, security was reserved for IT, the silent defenders. As the threat environment changed for the worse, even IT knew it would be outmatched without third-party help. World-class security teams share information and collaborate with experts to defeat common foes. This means collaborating not just with vendors, but also with their peers and competitors.
5. Don’t Obsess Over the Threat Du Jour
There’s always the next awful thing out there. Trendy threats like Conficker, Stuxnet, APT-1 and other massive breaches against the world’s largest companies will always be in and out of the news. It’s certainly critical to learn from them, especially the vertical-specific ones. Just don’t pin your security strategy on reacting to the latest bad thing that comes along.
6. Buzzwords Aren’t All That Bad
All of a sudden, the word cyber is everywhere. It has even crept into political debates. As security geeks, we disdain these terms: big data, machine learning, the cloud. Ugh. But if in the end they can help to elevate the overall discussion and heighten security awareness in the general population, how can that be a bad thing?
7. What’s Old Is New Again
When I joined IBM with Internet Security Systems (ISS) 10 years ago, there was a lot of focus on server and host security in the data center. With the rise of Web 2.0 (remember that?) and mobile devices, we shifted more to network security. Then cloud exploded and the focus moved to server-based security of virtual machines. My point? Cybersecurity lessons learned today will be relevant in a decade.
8. Analytics: Not Just for Pretty Dashboards
Now that we’re speaking to the board, there’s a lot of flashy eye candy in security. Attack maps inspired by “War Games,” incident visualizations and risk views can be helpful in making security decisions. But more critical uses for analytics today include real-time fraud and insider threat protection. That’s not just eye candy — it’s highly functional, utilitarian security that can actually boost revenue and prevent damage.
9. Security Superstars Integrate and Automate
A decade ago, teams were using silos of point products, and automation meant locking down a network or quarantining an endpoint. But false positives meant taking potentially valuable resources offline, so there was pressure not to use it. Today, I see seasoned teams integrating their defenses and using deep context about specific threats to orchestrate policies and make precise decisions about actions. This is where our industry is headed.
10. Security Is Hard Work
Security takes discipline and a clear strategy. It takes an honest recognition that security is not a goal with an end game, but rather something that changes continuously as both organizational goals and the threat environment evolve. There is no magic product, no magic service, no single method of defense. You must work tirelessly every day to prevent threats and plug vulnerabilities. It’s like training for a marathon that never stops.
Read the white paper: Reduce your attack surface, reduce your risk
VP of Strategy and Product Design, IBM Security