A decade and a half ago, before information security became so important, I would often hear and use the phrase “security is a process, not a product.” I’m not sure who coined that term, but it was very fitting, even back in the earlier days when security was often an organizational afterthought.

At that time, the threats were not terribly advanced, and vulnerabilities were not nearly as prevalent. Fast forward to today, where things are much more dynamic. The threats have matured and have much greater financial backing. Vulnerabilities are a dime a dozen across everything from desktop operating systems to Web and mobile apps. Entire careers and businesses are at the mercy of that dreaded system outage or data breach.

The Status of Security

Yet security often remains stagnant. We see it in the headlines. We see it in the breach databases. We see it in the data breach studies that come out year after year. Security practices are treading water even as cybercriminals and attack vectors speed ahead.

As dynamic as information security is, those responsible are often heading in the wrong direction by:

  • Relying on written security policies to enforce the rules;
  • Hoping that management will provide the necessary budget;
  • Outsourcing to the cloud in hopes that someone else can be responsible for that aspect of security;
  • Assuming that snapshot-in-time vulnerability scans or penetration tests are representative of the overall network environment’s security posture today and moving forward;
  • Waiting for auditors, regulators or judges to compel them to make changes;
  • Tightening things down using existing technologies to the point that user productivity and business processes are blocked more so than the actual security threats;
  • Putting figureheads in place to make it look like that person is leading the charge for security even though their peers don’t want them at the executive table.

And, perhaps most importantly, they’re ignoring the decades-old security principles that will work in a dynamic environment if they are implemented and managed properly.

Understanding Dynamic Security

Things in the security world have evolved quite a bit in a short amount of time. Even when you step back and look at where the industry was just three years ago, you’ll see the development of concepts such as bring-you-own-device (BYOD) policies, cloud concerns and advanced malware threats. Yet it seems that we’re going in circles. Security is not stagnant, but we’re dealing with it like it is. What gives? And where do we go from here?

Perhaps it will be the big data analytics, machine learning and greater security intelligence solutions that we’re seeing evolve? Maybe the information security function will grow beyond the FUD factor and gain the business-level respect it deserves? Maybe the technical controls will get better?

One thing is for sure: I don’t envy those responsible for figuring all of this out. Sure, the solutions are at our disposal and getting better every year. However, it’s the human element that’s continually getting in our way. If information security is going to evolve the way it needs to — enhancing the business rather than being seen as a drag — it’s going to require business leaders and information security professionals alike to look in the mirror and realize it’s up to them to come to a consensus on how things can be improved. Anything less and it’s going to be the same old story 10 years from now.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today