A decade and a half ago, before information security became so important, I would often hear and use the phrase “security is a process, not a product.” I’m not sure who coined that term, but it was very fitting, even back in the earlier days when security was often an organizational afterthought.
At that time, the threats were not terribly advanced, and vulnerabilities were not nearly as prevalent. Fast forward to today, where things are much more dynamic. The threats have matured and have much greater financial backing. Vulnerabilities are a dime a dozen across everything from desktop operating systems to Web and mobile apps. Entire careers and businesses are at the mercy of that dreaded system outage or data breach.
The Status of Security
Yet security often remains stagnant. We see it in the headlines. We see it in the breach databases. We see it in the data breach studies that come out year after year. Security practices are treading water even as cybercriminals and attack vectors speed ahead.
As dynamic as information security is, those responsible are often heading in the wrong direction by:
- Relying on written security policies to enforce the rules;
- Hoping that management will provide the necessary budget;
- Outsourcing to the cloud in hopes that someone else can be responsible for that aspect of security;
- Assuming that snapshot-in-time vulnerability scans or penetration tests are representative of the overall network environment’s security posture today and moving forward;
- Waiting for auditors, regulators or judges to compel them to make changes;
- Tightening things down using existing technologies to the point that user productivity and business processes are blocked more so than the actual security threats;
- Putting figureheads in place to make it look like that person is leading the charge for security even though their peers don’t want them at the executive table.
And, perhaps most importantly, they’re ignoring the decades-old security principles that will work in a dynamic environment if they are implemented and managed properly.
Understanding Dynamic Security
Things in the security world have evolved quite a bit in a short amount of time. Even when you step back and look at where the industry was just three years ago, you’ll see the development of concepts such as bring-you-own-device (BYOD) policies, cloud concerns and advanced malware threats. Yet it seems that we’re going in circles. Security is not stagnant, but we’re dealing with it like it is. What gives? And where do we go from here?
Perhaps it will be the big data analytics, machine learning and greater security intelligence solutions that we’re seeing evolve? Maybe the information security function will grow beyond the FUD factor and gain the business-level respect it deserves? Maybe the technical controls will get better?
One thing is for sure: I don’t envy those responsible for figuring all of this out. Sure, the solutions are at our disposal and getting better every year. However, it’s the human element that’s continually getting in our way. If information security is going to evolve the way it needs to — enhancing the business rather than being seen as a drag — it’s going to require business leaders and information security professionals alike to look in the mirror and realize it’s up to them to come to a consensus on how things can be improved. Anything less and it’s going to be the same old story 10 years from now.
Independent Information Security Consultant