Now that we’re well into 2016, you likely have various information security initiatives underway. The specifics you’re working on are, no doubt, priorities given your unique needs, budget and so on. But are you focusing on the right things? Are the things you’re doing really minimizing your business risks and addressing the right security trends?
It’s easy to get distracted and do what time management experts call majoring in minors — spending time, effort and money on areas of security that, in the grand scheme of things, might not provide much value to the business. You’re spinning your wheels and going through the motions rather than resolving what’s urgent and important. It’s classic 80/20 rule: Focus on the 20 percent of the initiatives that will provide 80 percent of the value for the investment.
Security Trends Come to Light
There are various trends impacting information security today that you need to stay on top of — many of which came out of the 2016 RSA Conference. This includes the Internet of Things (IoT) and data protection in the cloud, as well as the encryption and privacy of customer and corporate information. In a day and age when I’m still seeing people spend large sums of money on technologies such as network access control (NAC) and traditional antivirus solutions while data breaches are as prevalent as ever, it seems that something needs to change.
Instead of security teams focusing on more recent technologies such as cloud access security broker (CASB), advanced malware protection and the like, it’s as if they’re stuck in a vacuum; they’re bound and determined to fix what was important five to 10 years ago. As a result, they may be overlooking areas of risk and technologies that can help solve problems in newer, better ways.
What’s the state of security in your business? You’re likely experiencing modern challenges like most others. But are you paying close enough attention to see the details? A great exercise is to do what’s called zero-based thinking. Ask yourself: Knowing what we know today, what would we do more or less of? What should we now be focusing our efforts on given the current threats to our environment?
Transform Your Security Program
If you ask these questions, and answer them honestly along with your peers and management, you can truly transform where your security program is today. Look at what’s going on with the latest threats and technologies because that’s where we’ll likely be focusing our efforts in five years. You might just see your priorities change and be in a better position down the road by focusing on what’s important today.
I also recommend you take some time over the next few weeks to review the publicly accessible resources that came out of the RSA Conference and other recent industry events. There are keynote highlights on YouTube and considerably more videos on the RSA Conference website. Such resources are great for helping you build out or improve your information security initiatives, including security architecture, threat intelligence, policies and governance, and awareness and training.
All of this being said, you don’t want get too far off into the weeds addressing the latest and greatest information security trends if you haven’t yet fixed the basics. These fundamental flaws are on your network right now, and discipline is the only solution — not hype and short-term motivation from security conferences or media headlines, which will soon fade away.
Keep in touch with the latest happenings, but master the fundamentals. That’s the only true way to resolve your security issues over the long haul.
Independent Information Security Consultant