Confusion in Cyber SecurityThroughout my career, I have worked with hundreds of organizations. Regardless of the vertical or size of the organization, I have found that many executives and security professionals feel like the interviewer in the Rickie Fowler commercial when it comes to their organization’s digital security. They don’t know where to start, for instance, nor are they aware of where and how today’s ever-evolving risks and threats affect the respective organization. As a result, they’re not sure how to best invest in digital security, focus their limited personnel around defending against digital threats and/or build a sustainable and effective security and compliance program. In my line of work, it has also been my experience that foundational controls are often taken for granted, overlooked, considered boring and/or simply ignored. Compliance is, for the most part, a reactive process. Organizations throw everything and everyone at preparing for an audit, only to go back to business as usual when it’s over until the next audit cycle. Like the interviewer in the Rickie Fowler commercial, business and security executives face a daily barrage of sales calls claiming that they can strengthen their organization’s digital security by buying the new shiny thing. In their pitch, the sales person references all of the new digital threats that are in circulation, all of security terms that are applicable to these risks and how they can, in turn, use this new shiny thing to solve all of their security and compliance challenges. Business and security executives then inevitably turn to their teams, like the interviewer in the Rickie Fowler commercial, and they ask a series of rapid-fire questions. “What does it all mean?” “Should we be doing this?” “Are we doing this? “Why aren’t we doing this?” If you’ve ever seen Finding Nemo, you’ll understand when I refer to this phenomenon as the Dory Affect. It’s not like I don’t understand. I get how everyone wants the shiny new toy. They’re cool, they’re pretty and they’re fun to work with. Focusing on old foundational controls is boring and can be tedious for today’s young security analysts and even us older cyber security professionals. Yet investments in these shiny new toys usually fail to provide a timely ROI and end up exposing a weak foundation. This, in turn, causes organizations to go into reactive mode by shelving the new shiny toy and scrambling to shore up a weak foundation. Some good that did. But it’s not like organizations can avoid cyber security altogether, either. Unfortunately, it is still an all too often and common occurrence to read about yet another organization that has fallen victim of a security or compliance incident. This type of experience also forces organizations into a reactive mode where they might be inclined to purchase a shiny new toy so as to diminish growing public outcry in the wake of a breach.
Creating a Strong Foundation for Your Security ‘House’In most cases, such a security incident usually boils down to weak cyber security and compliance controls. By contrast, a strong cyber security and compliance foundation doesn’t just help organizations better utilize their limited resources and budgets. It also creates the groundwork for building a sturdy structure that can weather future storms. From this secure basis, organizations can build the frame of their house according to the Golden Triangle: skilled and talented cyber security professionals, effective processes for vulnerability management and other essential security programs as well as tools for facilitating the organization’s defense against threats. Once the house is built, it’s time for organizations to continually inspect their homes for weaknesses. Irfahn Khimji, regional manager for Canada at Tripwire, is familiar with this step in this process. He explains in a blog post that organizations will be successful only when they examine both the inside and outside of the home:
The challenge comes if the organization is limited to an Outside-Only view or an Inside-Only view. With the Outside-Only view, the scope of assessment is limited to only that which is visible externally. While one can see what an external attacker would see, it does not give a true representation of the overall risk of the asset. With the Inside-Only view, the vast majority of risk is assessable, but there will always be a small view that can only be seen from the outside.The challenge, of course, is to find the right platform that can balance both of these approaches.