It’s Not Too Late to Correct Your Security Posture
You’ve heard it a thousand times: “Sit up!” “Keep your back straight!” “Watch your posture!” When you had the luxury of youth, you could will yourself back into (correct) shape in a snap. But slowly, as the years passed, it became more and more difficult for you to quickly and easily correct your posture. Back pains, which used to go away as soon as you shifted position, now last for minutes or even hours.
The Importance of a Correct Security Posture
Much like the warnings from your parents or grandparents about your physical posture, an organization’s poor security posture can often lead to greater pains down the road if small, corrective actions are not implemented quickly. And like loved ones reminding you about the need for good posture after a quick glance, seasoned security professionals can usually assess the security posture of an organization they walked into just a few hours or days ago.
Just because an organization hasn’t felt any pain yet doesn’t mean that there isn’t a significant security threat looming over the horizon — or, worse, already inside the body of the organization. There are telltale signs that an organization’s posture is headed for trouble.
Five Ways to Reduce Aches and Pains
Here are five areas of your organization’s security posture that should be reviewed:
1. Tone From the Top
Much like the head controls the body, the act of toning from the top is critical if an organization is to improve its security posture. Good governance, as well as appropriate attention and support from management, is key to keeping tabs on, detecting and correcting possible security weaknesses well before pain shows up.
2. Organizational Factors
Having someone in charge of the security program is a good start. However, simply appointing a chief information security officer (CISO), or even a security manager, isn’t good enough. A healthy security posture needs a lot more than just a figurehead.
The implementation of a security program isn’t something done quickly or cheaply. It is more of a long-term corrective posture; something that will need the right amount of time and attention, constantly, over many months and years in order to have lasting impact. There are many security controls to choose from and many assets to be better protected, and the CISO will need the right vision and support to help the organization’s posture.
3. Human Factors
However, organizations need to keep in mind that, just like bad posture is hard to correct, human habits are hard to change, especially in the absence of any obvious pains.
Why should your employees change the way they do things when there’s no visible threat? The CISO, working in partnership with the rest of the C-suite, needs to engage in a slow, yet unstoppable set of projects whose aim will be to change employee habits and teach them better posture.
4. Communication About Information Risks
Much like one side of the body might send a shooting pain to alert you to a health event, communications around and about cyber risks are key. Organizations and their moving parts (i.e., people) need to be aware of the barriers to effective communication and ensure valuable conversations about cyber risks occur on a regular basis.
If done well, the moving parts can even start acting as alert sensors, ready and willing to share anything out of the ordinary they might observe.
In 2012, then-FBI Director Robert S. Mueller III said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Much like posture during your youth will impact your later years, organizations can no longer wait years to get themselves prepared for the inevitable security incident. Having a plan, practicing it — before any actual incidents — and refining your procedures will go a long way toward enabling your organization to react more quickly and effectively when the pain of a real security incident happens.
Ultimately, correcting your organization’s security posture is a long-term process; any pains that are currently experienced are likely the result of years of poor posture. The good news is that it’s not too late to start rectifying the problem — just don’t expect perfect posture overnight.