Rethinking Information Security
By Nolan Garrett
Both the public and private sectors are addressing the importance of cybersecurity as an integral component of their business strategies. Since cybersecurity incidents have hit the headlines across the country, it has caused fear and frenzy around the topic. Executives have taken to the internet and other resources to develop a strategy to best manage their risk.
Unfortunately, there is not a one-size-fits-all solution, nor is there one box that will solve all of your security qualms. It takes a strategic pairing of solutions, best practices and staff training to develop a successful information security program to secure your business.
The success of any information security program is predicated on the leadership of the chief information security officer (CISO) and chief information officer (CIO) of your organization. However, the majority of CISOs and CIOs come from a technical background and value newer technologies to support their security programs. While this is approach can be a pillar to a successful program, it is not the be-all and end-all.
Verizon’s “2019 Data Breach Investigations Report” indicates that 69% of all attacks were executed by outsiders, 52% featured hacking, 33% involved social attacks and 28% involved malware.
With 52% of all breaches featuring hacking, what should your information security strategy be? Should your organization move forward with new technologies, or does it make more sense to budget appropriately to the proportionate projected statistical risk?
Industry marketing utilizes niche-focused security solutions that drive the perception that information security is simply a technical problem. Well, isn’t it?
Fear, uncertainty and doubt (FUD) are used to advance a case for niche-focused security solutions and drive even the most nontechnical executive to perceive information security as something they may see in the movies or on TV. Information security is just a technical problem, isn’t it? Well, not entirely. We often forget the human side of security, which is ultimately why many executives have failed to address the core risks and statistics shared in the latest “Data Breach Investigations Report.”
Though it may not be as exciting as new AI skimming your network for outliers or oddities, it is critical to implement risk management properly to ensure a solid foundation for any information security program. It is vital to take the time to execute and maintain regular risk assessments and management to ensure an intentional and continual mechanism of risk reduction and proactive communication.
The most successful information security program is built upon three areas of risk management, which are as follows:
Having a password is similar to having a key to the front door of a house: If you have the keys, you have access. But, sometimes keys are easily replicated, or in the case of passwords, often guessed if they do not have the proper password complexities in place.
If an organization lacks strong passwords, effective authentication such as MFA or 2FA, alongside risk-based evaluation of authentication attempts with effective monitoring, even the most complex security systems will not keep hackers out. It is critical to restrict network access, analyze logging records, eliminate default passwords, leverage real-time monitoring and limit the number of login attempts to assist in shoring up your password defenses.
Understanding what you have is the first step to securing your network and endpoints. If you are ready to implement your information security program, start by taking inventory. Understand your assets, location, capabilities, and vulnerabilities. If and when you identify vulnerabilities, it is critical to respond to these potential threats (see below). A turnkey solution for asset management is through automation, which is the best way to proactively respond to potential future threats.
There are a variety of approaches you can take to automation. Whether that is through patching, reporting, application deployment or auditing, there are plenty of opportunities to properly secure and manage your assets. Through this process, you may discover that streamlining applications whenever possible will positively impact your ability to manage your assets and reduce risk over time. In the end, without the knowledge of the assets, there will be no way to implement adequate security, often resulting in multiple redundancies.
Oversimplification of vulnerability management is not ideal. Many organizations will reduce their effort to a quarterly or annual process of simply scanning their environment for vulnerabilities and pushing patches to their endpoints. The recommended approach is an ongoing one that includes continuous identification of assets, consistent and rapid response to vulnerabilities identified on those assets based on the risk level each asset may present to the business, and a layered plan to compensating controls such as active monitoring for indicators of compromise.
Security is all about taking it back to the basics. Train and develop your team to think with a security-first mindset, changing the culture of what it means to secure not only the front door of your business, but every endpoint that offers access to the digital space as well. When you begin to change the conversation of how you perceive security, it will be easier to implement solutions that are technologically forward to do the rest of the work. It is not about a one-box solution for any business, but rather an integrated approach of people, tools, implementation and proper monitoring that will result in a successful information security program for your business.