Einstein was credited with stating, "We can't solve problems by using the same kind of thinking we used when we created them." Change can look daunting when you’re the one responsible for optimizing your company’s security, risk and compliance posture. Past investments in point products make a change in direction feel like an unnatural act, but there are plenty of indicators that the status quo just doesn’t cut it any longer. Have you given meaningful thought to how to best address the challenges of an increasingly complex and sophisticated IT security landscape? Once you determine you have a problem and change is needed, how do you decide which path to take?
We only have to look at what’s transpired in Egypt over the past several weeks to know that President Hosni Mubarak waited much too long to decide to step aside. How much pain and disruption could have been avoided had he come to his senses when the first signs of a need for change were evident and unwavering? How many millions of dollars were lost due to the president’s unwillingness to cede control sooner?
Security practitioners only have to look back over the past twelve months to the coordinated attacks which included the use of nasty malware such as Aurora, Stuxnet, and, most recently, Night Dragon, and the impact they had on targeted organizations becomes apparent. How would the outcome have changed had those organizations taken steps long ago to thwart attacks and optimize their security posture?
Signs that Change is Needed
I spend a lot of time interviewing CISO’s about the challenges they face and the concerns they have. Over time, we’ve seen a pattern develop of those things that keep them awake at night and lay the foundation for when a different approach to security, risk and compliance management is needed.
• Firefighting Mentality – More often than not, security practitioners find themselves chasing the latest malware and other threat de jour. Since they’re spending an inordinate amount of time fighting fires, they are not able to focus on critical projects. Are you finding that you and your team are struggling to get out of firefighting mode? Are you able to effectively plan projects and keep them on track?
• Proliferation of Regulations – Rarely does a week go by where I don’t hear about a new or revised regulation that’s got more teeth than any predecessor. I'm also seeing more headlines with companies receiving stiff fines for failing to comply. Are the processes and systems you use for compliance staying current as regulations evolve and new relevant regulations come into play? Do they keep pace with new and evolving standards such as CVE, SANS Top 20, CoBit, ISO17799/ISO 27002/FINRA, NIST-SP800, DISA STIG and FDCC?
• Balancing Security, Risk and Cost – Since the dawn of business, this has been a major headache for security practitioners. Having just the right amount of security to keep your systems protected and compliant in such a way that maximizes user productivity has proven to be a very daunting task. Are your users productive and able to meet their objectives without being overly burdened by the security running on their systems or the data they access? Are you in a position to immediately determine what security product is needed when the next threat materializes? Do you know precisely which systems are already protected when a new threat is discovered?
• Consumerization of IT – Everyone wants to have the latest gizmo they purchased at Best Buy or the Apple Store plug seamlessly into your IT environment. Smartphones and mobile devices are shaping up to be the threat vector of choice for hackers and other evil-doers. In fact, a recent report was published saying, “Malware targeting mobile devices rose 46% in 2010, but the threat should not be measured only in terms of volume, because fewer attacks are already proving to be more damaging." Are you able to allow new devices to access your systems without impacting security? How agile and adaptive is your IT security?
• Patch Management – Patching still drives us crazy. On one hand you have virtually every vendor rolling patches out without any regularity, Microsoft being the biggest exception. On the other hand you have an ever-increasing number of out-of-band, critical patches arriving on your doorstep at breakneck speeds. Between the two, patching has almost become a daily grind. Have you been able to reduce the number of times that you patch each year or do you find yourself always in patch panic mode?
• Scale and Complexity – Your business is growing and becoming more complex (both IT and users). Do you have the right products in place to support your growth? Are the vendors that you currently use keeping pace with your growth through innovation? Are they in tune and responsive to the challenges you face as your workforce and company morphs and becomes more complex?
• Social Media and Mixing Data – Your users want unfettered access to Facebook, Twitter, LinkedIn and their other favorite social media sites while they work. They also want to keep their family photos and music on their work laptop. This presents a host of challenges for security practitioners. Are the vendors you use creating products that help you bridge access to social media sites and allow you to mix corporate and personal data in such a way that safeguards your IT environment and sensitive corporate data?
• Data Ubiquity and Removable Media – Defining where your security stops and your partners, suppliers, and customers starts is getting increasingly blurry. Also, practically every device -- be it a phone, camera, USB drive, etc. -- can be a point of egress for your sensitive business information. How do your current products and processes adapt to moving digital boundaries and the need to protect sensitive information at rest and in motion?
Some of these concerns may not apply to you and, without a doubt, you have other challenges that prevent you from reaching an optimized state for security, risk and compliance.
What to Look For
Now that you’ve decided a change is required, there are several things you need to consider when vetting security, risk and compliance vendors and solution providers. You should consider, among other criteria, the following:
• Vendor Stability – The last thing you want is to have the vendor you choose be out of business next year. You would also hate to see the product you just licensed be acquired by a larger company just to become lost in a sea of products. Have the vendors on your short list been around for a while and regularly delivered innovation into their products? Do they have a compelling road map that aligns with where your business is headed?
• Integration – Users are moving away from point products and looking for integrated solutions for security, risk and compliance management since it’s becoming increasingly cost prohibitive to manage several point products and their associated consoles. Look for vendors that offer seamless integration across the spectrum of security and compliance products and allow everything to be centrally managed by one, consistent console. Also, review their partner ecosystem to ensure that gaps they may have in their portfolio can be readily addressed with a partner product.
• Threat Research and Content – Malware and threats are increasing at an alarming rate. Some estimate that there were over 3 million new threats in 2010 alone. That fact, coupled with the rapid increase in the number of zero-days, suggests an overwhelming need to ensure that the vendor you choose has a comprehensive threat research capability. You need a vendor that has access to up-to-the-second, global threat landscape and has the resources to properly analyze and synthesize that data into a feed that you can digest instantly into those product used to assess and secure your IT environment.
• Delivery Options – Consider vendors that offer a choice of delivery options and have the ability to change if and when you need it. You may want to start with a SaaS then migrate to an appliance-based solution. You may want to deploy on virtual machines or some combination of virtual machines and other systems in your environment. Whatever your needs entail, make sure that the vendors you consider can serve up their solutions based on your current and future deployment needs.
• Industry Adoption – Your business is largely defined by the industry you’re in. For example, if you’re a financial institution chances are you need to comply with FISMA and have security needs unique to the financial industry. Make sure that the vendors you review have FISMA framework supported as part of their compliance products. Ask vendors for references of customers in your industry and are of similar size as your company.
Like the requirements above, you may have other criteria that you need to consider as you start down the path of change. Take the time to fully document what’s relevant to your business and prioritize those items since needs are not created equally.
If You Know It Needs to be Done, Then Do It
Yes, change is hard and can be disruptive. It’s always easier to do what you’ve been doing. However, you need to look past where you are today and consider what makes the most sense for you, your team and your company as you face a security future defined by uncertainty and disruption.
Any decision to make sweeping changes should be given serious consideration. This is not something that should be taken lightly. However, if the signs suggest that it’s the best course, then don’t delay. Waiting will just lead to languishing frustration and a suboptimal security posture that ultimately keeps you at a higher level of risk.
We only have to again look back to the wisdom of Einstein who stated: "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." Change in IT security, risk and compliance takes courage and vision. You have to admit that things could be better and be willing to take it upon yourself to set a new course for your business.
If you’re struggling with how to drive change in your business, there’s a great book by Chip Heath and Dan Heath titled, “SWITCH: How To Change Things When Change It Hard.” It delivers a series of pragmatic and innovative techniques that you can leverage to drive change in any organization.
Be an agent of change.