December 16, 2015 By Kevin Beaver 2 min read

We live in a gotta-have-it-now society. The desire for instant gratification is not only at the root of personal desires, but it also drives bigger, more impactful things in business and government. Quick fixes to problems that arise, often with little to no thought put behind them, are implemented and often politicized for the gain of an individual or group. The original need may have been satisfied on paper, but there’s often a slew of unintended consequences with this approach.

There’s Danger in Postponing Security Measures

We see this very behavior every day as it relates to information security measures. When an auditor reports that policies and procedures are missing, they’re downloaded from the Internet and tweaked to please. When a customer or business partner sends a security questionnaire to be completed before a business deal can be closed, someone in the organization — often a person who doesn’t have all the answers — runs through it, checking boxes and filling in blanks with words they know the other party wants to hear. When management discovers that a security assessment has never been performed, they assign the task to IT or security staff who, in turn, run a quick, external vulnerability scan.

There’s almost always an immediate need that is quickly fulfilled. But at what cost? How much additional risk is created by slapping things together at the last minute and considering it whole? It’s human nature to provide quick fixes with the intention of coming back later and making it better. But you know where the road paved with good intentions leads to.

Striking the Right Balance With Security

We live in a world of cause and effect. Everything we do in information security is cyclical and predictable. There are so many examples where the box is checked without thinking through the action; people assume they’ve succeeded because they threw together some quick-and-dirty security solutions.

They start to think that they’ve made it and can relax or move on to the next thing. They stop working on their craft, let their guard down and quick security fixes come back to bite them. You cannot afford to go down this path.

I’m not saying everything security-related must be long-term, dragging on through committee consensus and so on. There’s almost always a real need to implement something quickly. In fact, when things take too long, it can have the same negative consequences as doing things too fast.

You have to be careful with the quality of the end product. As the saying goes, “good enough” rarely is. If you need to fix something with security at the last minute, do what you need to do — but vow to make it better in the near future. Sooner than later, get it to the level of implementation or quality where you know it needs to be. Assign responsibility and deadlines to hold the right people accountable.

Start early doing the things you know you need to do. Work on them a little bit each week, reaching goals one security step at a time. This approach will not only keep things in check and keep your organization out of hot water, but it will help you stand out as a professional who sees the bigger picture and understands what it really takes to make security work.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today