In 10 years at IBM, I’ve been fortunate to have a bird’s eye view of big changes across the security industry. I have helped massive enterprises and small organizations build out their defenses against all sorts of changing threats. Here are 10 simple cybersecurity lessons I’ve learned in the past decade.

10 Cybersecurity Lessons From an IT Expert

1. Don’t Forget the Basics

The Australian Department of Defence is respected in security circles for its list of 30 strategies to mitigate targeted attacks. Right up there at the top is simple stuff, such as patching operating systems and applications and locking down admin accounts. You have to think about basic security hygiene first and foremost. This is the foundation of a strong security program — everything else is built on top.

2. Security Is About Much More Than Malware

Our industry and the public are fixated on advanced threats, but equally important is the less sexy stuff, like managing credentials and access policies with employees and partners in your supply chain. You need a clear understanding of what people, based on their roles, should have access to certain assets and data.

And don’t forget application security. If you are writing web or mobile apps for clients and customers, securing them takes a lot of discipline. Getting it wrong opens more doors to attackers.

3. Technology Is Only One Part of Security

Being tech-oriented, security professionals often obsess about the next great product or startup that will solve their problems. Most security problems, however, are people or process problems. Security must be embedded throughout the corporate culture. Employees need to understand just why security is vital to the organization and their specific roles in promoting it.

4. Security Is a Team Sport

Early on, security was reserved for IT, the silent defenders. As the threat environment changed for the worse, even IT knew it would be outmatched without third-party help. World-class security teams share information and collaborate with experts to defeat common foes. This means collaborating not just with vendors, but also with their peers and competitors.

5. Don’t Obsess Over the Threat Du Jour

There’s always the next awful thing out there. Trendy threats like Conficker, Stuxnet, APT-1 and other massive breaches against the world’s largest companies will always be in and out of the news. It’s certainly critical to learn from them, especially the vertical-specific ones. Just don’t pin your security strategy on reacting to the latest bad thing that comes along.

6. Buzzwords Aren’t All That Bad

All of a sudden, the word cyber is everywhere. It has even crept into political debates. As security geeks, we disdain these terms: big data, machine learning, the cloud. Ugh. But if in the end they can help to elevate the overall discussion and heighten security awareness in the general population, how can that be a bad thing?

7. What’s Old Is New Again

When I joined IBM with Internet Security Systems (ISS) 10 years ago, there was a lot of focus on server and host security in the data center. With the rise of Web 2.0 (remember that?) and mobile devices, we shifted more to network security. Then cloud exploded and the focus moved to server-based security of virtual machines. My point? Cybersecurity lessons learned today will be relevant in a decade.

8. Analytics: Not Just for Pretty Dashboards

Now that we’re speaking to the board, there’s a lot of flashy eye candy in security. Attack maps inspired by “War Games,” incident visualizations and risk views can be helpful in making security decisions. But more critical uses for analytics today include real-time fraud and insider threat protection. That’s not just eye candy — it’s highly functional, utilitarian security that can actually boost revenue and prevent damage.

9. Security Superstars Integrate and Automate

A decade ago, teams were using silos of point products, and automation meant locking down a network or quarantining an endpoint. But false positives meant taking potentially valuable resources offline, so there was pressure not to use it. Today, I see seasoned teams integrating their defenses and using deep context about specific threats to orchestrate policies and make precise decisions about actions. This is where our industry is headed.

10. Security Is Hard Work

Security takes discipline and a clear strategy. It takes an honest recognition that security is not a goal with an end game, but rather something that changes continuously as both organizational goals and the threat environment evolve. There is no magic product, no magic service, no single method of defense. You must work tirelessly every day to prevent threats and plug vulnerabilities. It’s like training for a marathon that never stops.

Read the white paper: Reduce your attack surface, reduce your risk

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…