Light Dark
March 23, 2018 By Kevin Beaver 3 min read
CISO
Risk Management

Today’s security threats are real, and the business risks are tangible. Yet, many organizations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you don’t need to spend and end up woefully unprepared for network events when they occur.

By and large, many people manage IT with a false sense of security — a heightened sense of self. They appear to be getting stuff done: They’re spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it’s really not.

Common Fallacies That May Be Holding Back Your Security Program

Looking from a higher level at what’s taking place in the average enterprise, security is all over the map. Some people swear by their security awareness and training initiatives, yet their users’ behavior remains wildly unpredictable. Many such efforts appear to be beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.

Ditto for paperwork: Even the best security policies and procedures are useless if the organization’s practices don’t reflect them. After all, policies on their own cannot prevent a data breach. In fact, I’ve yet to see a policy that by itself positively contributes to effective security. Instead of policies with little substance, security professionals need technologies that can enforce those policies in transparent and automated ways.

Still, the same can be said for technology. I would estimate that roughly half of the security products and services I come across are woefully under implemented — some to the extent that you can’t help but wonder why the money was even spent in the first place. Some IT and security professionals believe they have completely locked down their network but are almost always gaps. Some organizations focus too much on compliance and too little on security, while others are too trusting of their vendors.

Establishing Organization-Wide Security Goals

This lack of direction stems from people in the business not having a set of common goals to work toward. I’ve met executives who couldn’t articulate what they were trying to accomplish — they just knew that security was a priority to someone. Rather than understanding their requirements and working on plans to protect what was important, they were busy putting out fires on a day-to-day basis.

Some executives fall into this trap because they lack goals, while others simply lack sufficient resources. Regardless of the reason, if you’re not putting forth the necessary effort and implementing adequate security controls, you can’t reasonably protect your network and information assets, much less know whether or not your security strategy is working.

As economist Thomas Sowell once said, “It takes considerable knowledge just to realize the extent of your own ignorance.” The mark of a true security professional is someone who realizes that he or she doesn’t know everything and can’t possibly secure his or her network against all the threats that are out there. Once you acknowledge this, you’re well on your way to achieving a reasonable state of security.

You might have everything you need to properly secure your network, know your risks and understand how to uncover them quickly. You might even have management’s support — and all the technical controls under the sun. Even with all this at your disposal, the most critical step is to obtain and maintain the necessary level of discipline to achieve your security goals, as well as the cultural and political support to see it through.

Fine-Tuning the Basics

Many people want to keep talking about what’s new and what’s next with security. The reality is that we don’t need anything else — we just need to understand and implement the basics and fine-tune them over time. It’s true that one bad decision is all it takes to expose your organization to a cyberattack. Likewise, one good decision is all it takes to get your organization on track with reasonable (if not perfect) security initiatives.

Many of the mistakes and oversights in your security program are minor by themselves. When you add them up, however, they represent formidable challenges. Get on track and do the things that you know will enhance security and minimize risks.

This involves three core steps:

  1. Know your network.
  2. Understand how your important data is at risk.
  3. Do what it takes to eliminate, minimize or otherwise compensate for your risks.

I’ve yet to see an organization that is proficient in all three of these areas.

It’s easy to overlook some big security gaps when you are exposed to your own environment day after day. Don’t hesitate to bring in an unbiased third party that can give your system a fresh look. That’s one of the best ways to uncover your blind spots. If you don’t, threat actors are sure to smell blood and eventually take advantage of your security weaknesses.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

 |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature