A decade and a half ago, before information security became so important, I would often hear and use the phrase “security is a process, not a product.” I’m not sure who coined that term, but it was very fitting, even back in the earlier days when security was often an organizational afterthought.

At that time, the threats were not terribly advanced, and vulnerabilities were not nearly as prevalent. Fast forward to today, where things are much more dynamic. The threats have matured and have much greater financial backing. Vulnerabilities are a dime a dozen across everything from desktop operating systems to Web and mobile apps. Entire careers and businesses are at the mercy of that dreaded system outage or data breach.

The Status of Security

Yet security often remains stagnant. We see it in the headlines. We see it in the breach databases. We see it in the data breach studies that come out year after year. Security practices are treading water even as cybercriminals and attack vectors speed ahead.

As dynamic as information security is, those responsible are often heading in the wrong direction by:

  • Relying on written security policies to enforce the rules;
  • Hoping that management will provide the necessary budget;
  • Outsourcing to the cloud in hopes that someone else can be responsible for that aspect of security;
  • Assuming that snapshot-in-time vulnerability scans or penetration tests are representative of the overall network environment’s security posture today and moving forward;
  • Waiting for auditors, regulators or judges to compel them to make changes;
  • Tightening things down using existing technologies to the point that user productivity and business processes are blocked more so than the actual security threats;
  • Putting figureheads in place to make it look like that person is leading the charge for security even though their peers don’t want them at the executive table.

And, perhaps most importantly, they’re ignoring the decades-old security principles that will work in a dynamic environment if they are implemented and managed properly.

Understanding Dynamic Security

Things in the security world have evolved quite a bit in a short amount of time. Even when you step back and look at where the industry was just three years ago, you’ll see the development of concepts such as bring-you-own-device (BYOD) policies, cloud concerns and advanced malware threats. Yet it seems that we’re going in circles. Security is not stagnant, but we’re dealing with it like it is. What gives? And where do we go from here?

Perhaps it will be the big data analytics, machine learning and greater security intelligence solutions that we’re seeing evolve? Maybe the information security function will grow beyond the FUD factor and gain the business-level respect it deserves? Maybe the technical controls will get better?

One thing is for sure: I don’t envy those responsible for figuring all of this out. Sure, the solutions are at our disposal and getting better every year. However, it’s the human element that’s continually getting in our way. If information security is going to evolve the way it needs to — enhancing the business rather than being seen as a drag — it’s going to require business leaders and information security professionals alike to look in the mirror and realize it’s up to them to come to a consensus on how things can be improved. Anything less and it’s going to be the same old story 10 years from now.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…