As most of us know, being responsible for cybersecurity and how it is percieved within an organization can be a rather thankless task. Very seldom is our job function(s) even noticed — unless of course our job was not done properly.
With the onslaught of virtualization, mobile computing, and cloud technologies the roles of security practitioners in the workplace have not subsided, but actually become more complicated. For example, many key business decisions are made outside of the actual IT department, so being proactive in determining reasonable, cost-effective security practices has become the norm for today’s security professionals.
Regardless of the situation, we can all agree that cybersecurity plays an important part in every company. With the demonstrated risk posed by cyber attackers and the daily occurrences of security breaches, I wanted to share with you five of the most common mistakes made by security professionals through the list of statements below.
The list of Five of the Most Common Mistakes:
5) “Call our security team and get their thoughts on this …” – One of the things often overlooked in the world of cybersecurity is the development of a “security-first” mindset. While many organizations will rely heavily on the security-department to set policy, improve security awareness, manage defense, harden systems, apply patches, and set permissions, the fact is that establishing an effective cybersecurity program means security professionals should be involved in the day-to-day evolution of business operations as an integrated team. Too many times we find companies that have partitioned off their security employees to a remote place and only bring them in on the tail-end of a project to seek security guidance. No to mention many fail to include a security conduit in the leadership of the organization with the authority to impact operational decisions.
4) “We just don’t have that in our current budget.” – From my experience, I have seen many companies practice foolish forecasting and spending practices as it pertains to the management of security risks. The majority of the time, organizations spend budget dollars on solving past problems and don’t focus their attention on prioritizing risk mitigations. This is a common mistake in security leaving excuses for not tackling sometimes significant risks due to budget challenges. Being successful at cybersecurity goes well beyond fixing yesterday’s problems. Any effort has to be a sustained approaching reflecting tackling both past, present, and future risks based on each organizations unique business scenario. There should be a comprehensive approach from start to finish for evaluating risk with strategic budgeting for priorities. Along with sufficient resources in financial dollars and expertise set aside for emergency resolution of risks or new requirements after budget forecasting. Essentially in #4, we are communicating the issue has no priority or low priority or emerged unexpectedly. Having a reserve set-aside for emergencies may help deal with the excuses created by not having a budget for dealing with pressing security needs.
3) “We monitor, therefore we are secure!” – While most often driven by a particular compliance requirement, our security cannot be left for monitoring alone once the compliance has been achieved. Certainly monitoring is an important aspect of the cybersecurity core practices, but as important is the ability to assess risk and determine the short and long-term threat landscape. However, relying on monitoring alone to react to threats without improving layered defenses and prioritized management of risk along with forecasting and budgeting for an acceptable level of risk is potentially an indicator of security programs lacking maturity.
2) “We always have someone available on Patch Tuesday in our organization.” – This could easily be number one on my list. This seems to be the response of many organizations managing security operations. The auditor comes in and is directed to the department responsible for patching and everything is good, correct? Not really. For the most part, I have found that when a company explains that their patching is under control or they patch all critical risks, they typically mean from an Operating System (OS) perspective. How about your applications? I have found that many organizations avoid patching certain applications for fear of compatibility problems. Also I hear confidence in the fact that critical patches are applied and everything else is acceptable risk. Plus explanations that some enterprise management tools only work well for patching core technology and the rest is a manual process for later or ignored because they are difficult to address. Application-centered attacks easily exceed that of the OS version and not being on top of the application patching in your environment could lead to significant opportunities for breaches. After hearing these statements, the questions that should be asked are how is configuration management, asset management, assessment, patch-testing and prioritization of patches handled prior to patching. Along with how patch verification is handled and data metrics tracked afterwards to determine whether the objectives of patch management are being met rather than just feeling comfortable someone is on staff on patch Tuesday.
1) “Were not in the business of IT security.” – I once read that McDonald’s was not in the hamburger business, but real estate business. This makes complete sense given the amount of locations the “golden arches” seem to be present. I bring this up, because all too often employees confuse their day-to-day roles/responsibilities with their initial job description. Unfortunately, working in the accounting department does not excuse you from maintaining situational awareness, abiding by the corporate password policy, or observing information sensitivity. Educating our user community is one very important aspect of cybersecurity and is often overlooked in favor of more “pressing” business matters. Whether fortunate or unfortunate with the great power that technology brings to business comes responsibilities for security. Maybe we should ask the Surgeon General of the United States to add a warning on the side of every technology box stating “Warning: this box could be harmful to your company’s health and reputation. Use technology in moderation and manage your consumption through solid security practices. This product may increase the potential for breach, poor reputation and possibly financial loss.” With great power comes responsibility.
As today’s threats become more complex, the need to keep our users awareness elevated has become an ever increasing part of cybersecurity. This is no way depicts all of the mistakes to avoid with implementing a strong cybersecurity program, but making you aware of these statements may assist in uncovering other common pitfalls. The battle against IT threats is constant and evolving, once we understand that being proactive in our evaluation of risk, budget forecasting, management of defenses and governance of security programs, the better prepared we will be to prepare the offensive.