Today’s security threats are real, and the business risks are tangible. Yet, many organizations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for network events when they occur.
By and large, many people manage IT with a false sense of security — a heightened sense of self. They appear to be getting stuff done: They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.
Common Fallacies That May Be Holding Back Your Security Program
Looking from a higher level at what’s taking place in the average enterprise, security is all over the map. Some people swear by their security awareness and training initiatives, yet their users’ behavior remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.
Ditto for paperwork: Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. In fact, I’ve yet to see a policy that by itself positively contributes to effective security. Instead of policies with little substance, security professionals need technologies that can enforce those policies in transparent and automated ways.
Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented — some to the extent that you can’t help but wonder why the money was even spent in the first place. Some IT and security professionals believe they have completely locked down their network but are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.
Establishing Organization-Wide Security Goals
This lack of direction stems from people in the business not having a set of common goals to work toward. I’ve met executives who couldn’t articulate what they were trying to accomplish — they just knew that security was a priority to someone. Rather than understanding their requirements and working on plans to protect what was important, they were busy putting out fires on a day-to-day basis.
Some executives fall into this trap because they lack goals, while others simply lack sufficient resources. Regardless of the reason, if you’re not putting forth the necessary effort and implementing adequate security controls, you can’t reasonably protect your network and information assets, much less know whether or not your security strategy is working.
As economist Thomas Sowell once said, “It takes considerable knowledge just to realize the extent of your own ignorance.” The mark of a true security professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.
You might have everything you need to properly secure your network, know your risks and understand how to uncover them quickly. You might even have management’s support — and all the technical controls under the sun. Even with all this at your disposal, the most critical step is to obtain and maintain the necessary level of discipline to achieve your security goals, as well as the cultural and political support to see it through.
Fine-Tuning the Basics
Many people want to keep talking about what’s new and what’s next with security. The reality is that we don’t need anything else — we just need to understand and implement the basics and fine-tune them over time. It’s true that one bad decision is all it takes to expose your organization to a cyberattack. Likewise, one good decision is all it takes to get your organization on track with reasonable (if not perfect) security initiatives.
Many of the mistakes and oversights in your security program are minor by themselves. When you add them up, however, they represent formidable challenges. Get on track and do the things that you know will enhance security and minimize risks.
This involves three core steps:
- Know your network.
- Understand how your important data is at risk.
- Do what it takes to eliminate, minimize or otherwise compensate for your risks.
I’ve yet to see an organization that is proficient in all three of these areas.
It’s easy to overlook some big security gaps when you are exposed to your own environment day after day. Don’t hesitate to bring in an unbiased third party that can give your system a fresh look. That’s one of the best ways to uncover your blind spots. If you don’t, threat actors are sure to smell blood and eventually take advantage of your security weaknesses.
Listen to the podcast series: A CISO’s Guide to Obtaining Budget
Independent Information Security Consultant