Time is of the essence.
We hear that statement in everything from investing in the stock market to exercising, dieting and practically all things business-related. Outside of finance or mergers and acquisitions, I can’t think of any other area of business where timing is as critical as it is with information security.
The timing of practically everything you do — or don’t do — determines where you are going to end up in terms of your security posture, audit and compliance gaps and those dreaded data breaches that criminal hackers inflict upon you.
Criminal Hackers Have Nothing But Time
The unfortunate thing with time in information security is that you have very little of it, whereas the criminal hackers who are after your network and information assets have an infinite supply. If an attacker wants to use your system for ill-gotten gains or attack your assets directly, he or she can just do a little at a time or simply sit back and wait in the trenches as long as needed to get the work done.
The slower actors attack your network, the greater the chances that they’ll fly under your radar. The criminals can take weeks or even months gathering information before launching their attacks in bits and pieces over time. This is how many of the big breaches play out — and it can happen to you.
Information security may be a game of cat and mouse, but the ramifications can run much deeper in human terms. There’s a lot at stake in terms of your organization’s livelihood, your team’s credibility and even your career.
Fixing Security Issues at a Moment’s Notice
If you could only have an unlimited budget, you could fix all your security problems, no? With such odds stacked against you, you have to be smart in your approach. You must not only determine where your risks are, but also locate the most urgent and important risks so you can prioritize your time, money and efforts around those areas.
One of the quickest wins you can achieve in terms of security breach prevention and response is to outsource the functions of security monitoring and alerting. Odds are good you don’t have the proper tools or expertise in-house to take on such an important aspect of security.
Start building out your information security program to include this service today. If you prefer to keep things in-house, you have to be prepared to spend a lot of money on the tools and staff necessary to develop an effective security operations center. Either way, I believe this is the one missing link that not only gets so many organizations into a bind, but can also be leveraged to keep them out of hot water.
In the meantime, fix the fixable. No monitoring or response budget or expertise can make up for oversights in and around the basics of information security.
Watch the on-demand webinar to find out if you’re ready for a Security Operations Center
Independent Information Security Consultant
Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 29 years of experienc...