No matter how valiant the efforts to secure their systems, or the amount of money spent on IT defenses – many of the same IT security challenges persist today as they always have.
Enterprises are behind in their ability to quickly detect data breaches. According to the 2015 Verizon Data Breach Investigations Report, the vast majority of organizations don’t detect breaches with days of occurring, no – the time to detect compromise is still too often measured in weeks, or months. And, depending on the study, security breaches can cost $100 per record and up.
As the sheer number of breaches, their duration, and their costs reveal in the past few years, enterprises can clearly do much better. But it’s not a matter of a quick fix. It’s not a single product deployment, or hiring to fill a few positions. There are, however, key areas that organizations can focus upon to close the gap between the ease in which attackers can exploit enterprise weaknesses and the ability for enterprises to defend their systems and data.
Here we go:
1. The security program informs the regulatory compliance program, not vice versa
Too many organizations today remain focused on maintaining their baseline security controls. They check their regulatory compliance check boxes and move on. Firewall: check. Network monitoring: check. Network segmentation: Should be in place, check. What lacks is a focus is making sure each of these functions is done right.
This needs to be flipped around. Enterprises need to build rugged security programs and build the reporting on top of those programs to feed into their regulatory compliance efforts.
2. Hire and cultivate the right security talent
In my interviews with CIOs and CISOs it’s clear, across the board, enterprises are hurting when it comes to finding skilled information security professionals. If you know device security, enterprise security architecture, are a pen tester, can manage or build a security program – you are not in want to job opportunities.
The challenge for enterprises is that technology and attack methods are moving so swiftly, that traditional education and corporate training programs don’t keep up. And, quite frankly, many HR departments in large enterprises don’t know how to hire well for information security positions. They rely too heavily on certifications and not enough of security problem solving skills. Traditional training doesn’t keep pace producing security skills needed with constant changes in mobility, cloud architectures, virtualization, containerization, Internet connected devices (IoT) and others.
Skilled security pros also tend to come from non-traditional backgrounds. They are liable to be the men and women with purple hair, lots of tattoos, and a scattered college history: but they know how to hack and many know how to help defend against hackers. But they are overlooked. This needs to change, and government and corporate enterprises need to rethink how they vet and view security talent. They need to consider training in-house talent that has an affinity to this field and wants to be trained.
3. Communicate in terms the business cares about
Today, too many security professionals think, and speak, in technical terms. Such as when they see a certain attack vector, they see a technical problem. And they are right, it is in fact a technical problem in most cases and can be remedied technically. But to business leaders and management it is a business risk. And business people want to understand things in business terms and business risks.
When most people suffer say, a car breakdown, they care more about losing the utility of the car than they care about the technical reason for the breakdown. When they ask technical questions about the nature of the mechanical failure, what is really going on in most people’s minds about the car is how the nature of that mechanical breakdown will impact the cost to fix. So that’s loss of utility and cost to get that utility back that matters to us most.
Business leaders, when it comes to IT, think no differently.
What is at stake with the risk, from a business perspective. How much will it cost to remedy. What is the cost of losing the utility? These are the terms more security people much speak in.
4. Shift some security focus to breach detection and response
With good reason, tens of billions of dollars have been invested by public agencies and private enterprise into traditional security defenses: the stuff geared to keep bad guys and things out. I’m not sure if enterprises have spent enough, or too much. That is certainly an interesting and debatable question. But I am sure we can’t count on it to work all of the time, every time.
Attackers are going to get through. There will be a misconfiguration they find, or there will be an employee who clicks on something they shouldn’t, or a trusted web site will serve malware and that breach will go undetected. Bad things are going to happen to enterprises that strive to protect themselves and do the right thing.
This is why more resources and effort needs to be focused on the ability to detect and respond to successful breaches. It makes sense to want to stop attacks. But like in American football, good defense wins games but it doesn’t win every game and even the best defenses are scored against.
Your information security defenses and efforts are no different.
Plan and put the resources in place to rapidly respond. It will mitigate the damage of successful breaches, and hopefully keep the costs of those breaches down, too.
5. Shift to data-driven security decisions
An important shift is one that has been widely talked about in security, but not always very pragmatically acted upon. Security pros need to stop working from a position of what they knew to work in the past, or their personal hunches, or providing the types of defenses the business thinks it needs.
To date, this hasn’t worked so well. We need to start making more data-driven decisions. If the business wants to invest in certain areas of security spending, perhaps that is the wisest move or perhaps it is not. Collecting the right data about the nature of the security controls in place, how well they are performing, as well as what has not been working well may provide better answers. Certainly the final decision about what spending will get done is up to the business, but by providing the right data you can help them make better decisions.
All the data needed is out there: the nature of the adversarial threats, the technical vulnerabilities, the value of the business data and services provided by critical applications, as well as the goings-on within the network and applications. It’s time this information be better collected, analyzed, and put to use to make the best data driven decisions possible.