You don’t know what you don’t know; that seems to be the mantra for most information security programs today. Security visibility is grossly lacking in so many environments. For many, this ignorance — and the ensuing lack of security alerts — is bliss.
No Visibility Equals No Worries — Right?
I’ve seen it time and again: Management, including technology and C-suite executives, intentionally avoid acknowledging or properly addressing the information security weaknesses — or even breaches — impacting their business. On the opposite end of the spectrum, others struggle to keep up with and determine what’s going on because of too much information, a lack of expertise or the improper use of existing security tools. Sometimes it’s all three.
I’ve yet to see an IT environment where those in charge truly understand the state of security at any given moment. I think that’s why we keep seeing the waves of data breaches come in. Regardless of where your organization falls within the spectrum of security visibility and control, the reality is that someone can be doing something bad on your network at this very moment. And odds are good that you don’t even know about it.
Then what happens? Maybe you’ll detect the breach eventually. Perhaps you’ll be lucky enough to be notified by someone else, which, according to studies such as the “Verizon Data Breach Investigations Report,” is a common scenario. It could be that you never find out and long-term damage is inflicted over time, hurting your bottom line and your brand reputation.
Working Through Security Challenges
These security challenges impact both small and large enterprises and even the federal government. It’s interesting — I’ve heard stories from security vendors who say that they will demo their product in a customer environment for proof of concept to show advanced persistent threats (APTs) and related criminal activity in the networks, yet a common response is: “Thanks, Mr. Vendor. We appreciate the insight and will put your product in our budget for next year.” So an intruder is in the house, but people will pretend like nothing bad is happening.
No matter the scenario, the fines, lawsuits, discovery requests and depositions will likely ensue, especially if personally identifiable information (PII) is breached. There are also the long-term costs associated with stolen intellectual property, impact to your brand and so on. Is this a challenge that management is willing to take on?
You don’t know what you don’t know, but that’s not a defensible approach to information security. Heads in the sand never helped anyone. If you’re going to stay out of trouble, you have to find out what’s happening on your internal network, across your mobile workforce and in the cloud. Then, when threats, vulnerabilities and risks are identified, vow to do something about them in the very near future, if not immediately. Criminals attacking your business have nothing but time. You don’t.
Independent Information Security Consultant