We all have our pet peeves when it comes to security
technologies and practices. One of mine is the hesitancy of security
practitioners to openly share their experiences lest they expose a serious
weakness to the world. Trust me, if you have large vulnerability issues the bad
guys already know about it! You are much better off talking with peers in your
industry to find out what works for them so you can learn from them and make
progress.
The healthy exchange of security ideas from enterprise
leaders was one of the reasons I was excited to be invited to the CIO/CISO
Summit held last week in Boston. This conference provides an opportunity for
CIO/CISOs to participate in roundtable discussions, absorb highlights from
presentations and otherwise network with peers. It is an inspirational idea
that seems like time well spent.
A few points resonated with me from one of the sessions:
Strong
security processes can lead to user fatigue, and user support is critical for
security. We sometimes overlook the impact security decisions can have
on our people. A CPA friend bemoans that accounting guidelines call for a
separate un-memorizable password for each and every client and that passwords
must be regularly changed. So of course he writes them all down in multiple
obvious places so he can work from home or office ... and now has a jaundiced
view of IT security recommendations. Ridiculous. If you are on a security team,
be sure to consider the impact on users and avoid being invasive "for
security's sake" whenever possible.
Technology
is important, but be careful of a false sense of security. Every
vendor promises the next great thing, and many products are indeed great. But
no product does everything great. SIEMs are cool, but your data is already lost
by the time any event is recorded; user analytics are a fascinating approach to
detecting the presence of malware, but there will be false positives in
anything based on behavioral scoring. One takeaway is that fundamentals are
fundamental for a reason - be sure to have and enforce standard operating
environments for important servers, efficient processes to patch critical
vulnerabilities, documented processes to rebuild after attacks, and only run
the latest releases of software. Killer technology is best when supplementing a
security program focused on strong fundamentals.
Reserve
more of your security budget to embrace new user activity. In the
last 5 years where has your organization changed the most and how is your
security program adjusting to those changes? This is a difficult question because
security likes to control stable processes and technology, but things cannot
always stay the way they are. This may mean that capabilities you fought hard
for just a few years ago are suddenly worth a lot less to you now (can you say
MDM?). It is easy to see the growth of the cloud and mobile devices so instead
of trying to force them to behave like your physical infrastructure isn't it
more pragmatic to have security get ahead of user activity? Be willing to
change security processes with the times - even if it means leaving good legacy
stuff behind.
I was impressed with the program put together by the CIO/CISO
Summit. I am hoping that your region has something similar. While it is always
nice to socialize with peers, it is even better to have challenging security
conversations.
Posts
