Security is a Serious Business Where The Bottom Line is The Only Result that Matters. Focusing on the Negative May Not Sound Fun, But it’s Effective...
The first week of the New Year is always one of the more interesting times. Gone are the skeleton crews of the past month and, for the first time, everyone is back together from their holiday breaks and ready to take on the next set of challenges. It’s also the time of year when people make a lot of resolutions that statistics show they have little chance of actually keeping. For the next few weeks the gyms will be packed with those committed to getting in better shape, shedding a few pounds, eating healthier, etc. but the reality is, by February, things will return to normal levels. This can also hold true in enterprise organizations.
While I’m not going to offer any fitness tips in this article, I am going to suggest a change in the way companies and IT professionals view their security programs in the coming year. Rather than focusing on the vulnerabilities you are addressing and the types of attacks you are preventing, look at security through the prism of an attacker. Where are the cracks in the fortress walls? What vulnerabilities could possibly remain that could be exploited? Be honest in assessing yourself and your security protocols, ask yourself the tough questions as to whether you are keeping up with the latest patches, technologies, and threats and whether you have the proper team and resources in place.
While I like to think of myself as the proverbial glass half-full type of guy and not someone who obsesses over the negative or potential failures, when it comes to security, it’s always about what could go wrong. When is the last time you read an article about a breach that didn’t happen? Having been in the security industry a long time, I appreciate as well as anyone how tough the job is and the hours and dedication that go into securing an enterprise environment. And while it is human nature to want to congratulate yourself on working hard and what you have done right, the hacker only cares about the one oversight or mistake that will allow them access to your critical information.
This is the mindset you need to have when evaluating your defenses. Security is a serious business where the bottom line is the only result that matters. I know that sounds harsh, but nobody cares that you locked ten doors if a thief walks through door number eleven and steals all of your critical assets. You are probably sick of hearing me say this, but we need to be perfect all the time where a hacker only has to be right once. This is the threshold we live and operate under and viewing our protocols through the hacker’s eyes will allow us to identify a greater number of potential weaknesses.
While focusing on the negative may not sound fun, it’s effective. Here’s a good analogy - if you’ve ever been through the home buying process you know that the first step after agreeing to terms is to have a home inspection of the property completed. While you and your family are focused on the fact that you just found your dream house with great views, high-ceilings and a big backyard, the home inspector is pointing out that the foundation is cracking, the roof needs maintenance and the electrical is out of date. While Mr. Inspector may have just rained on your parade, he also provided you with a level of critical analysis that will enable you to make an informed decision and avoid a potential catastrophic event down the road.
A good security director will do the same thing. Complacency is never a good thing, but in security it can have devastating effects. While it’s good to acknowledge progress, that should never stand in the way of staying ahead of the next potential threat. When you take a look at the most common ways that breaches happen, it’s baffling that they continue to be the result of simple vulnerabilities or carelessness. Unpatched software updates, weak passwords, lost admin accounts. These are the mistakes that hackers rely upon and that we as security professionals need to get serious about if we are going to have a greater success rate in coming years.
There are going to be a lot of promises and resolutions broken in the coming weeks. Life gets hectic and the best-laid intentions are set aside in favor of immediate issues and problems. I’d ask that all of you as security professionals commit to viewing your networks in a different light in the coming year and making sure that this is one regiment that you don’t break away from. Remember, security is only fun if you are winning.
Related Reading: What Would Nostradamus Have Said About Cyber Security in 2014?