It’s the day before Christmas and all through the workplace, there was nothing but empty space. However, with the holiday just around the corner, it’s your last chance to get some formal Security Resolutions on the books for New Years! Remember, it’s never volume that counts in these, it’s all about the quality and investment you make. Why have the exact same resolutions as everyone else? Be a security geek! Pick one that resonates, and plan for a party next year when you’ve rocked your resolution!
Remember, if you keep on doing what you’ve been doing, you will get the same results. So, to get different results, you need to make a change. It doesn’t have to be a big change; just a single small change. Every small change can be built on; and can improve your security posture over time.
Some options to get your creative juices flowing:
Know your state. Create metrics on how to identify what changes your user base experienced. There are some great tools out there for non-training based metrics, like Phish Me.
Change your ratio. Security People are always talking about how humans are the weakest link. They can be your strongest defense, and earliest warning indicator of a problem. However, if you look at your staffing or resource allocation, what is the budget or person ratio associated with this initiative? Just a small change here, applied regularly, will make a difference over time.
Change your style. Training dynamics have repeatedly preached that small groups, with interactive and relevant material will have a bigger impact than large groups receiving slideware in a giant dark auditorium. Gamification is huge; and a great way to get competitive juices flowing.
Listen to your customers / users. Security can easily be considered the team that always says no. Our job is to enable the business to be successful at the level of risk they can manage. Do you know what your customers want you to improve for them? Do you know the next big business initiative that needs your team to help manage the risk? Take time to listen, discern trends and find gaps and process improvements that will benefit everyone.
Know your state. Do your metrics start from the top down? Do they provide more insight than recorded incidents per month? Are you tracking things that aren’t just outputs of tools, things like average time to escalate to Incident Response, or how long an item stays in a state to understand if things are improving?
Practice your plan. Proper incident response is like any other exercise, it benefits from routine training. Do you do cross organizational table top exercises? On what spectrum of live fire do you operate? This can range from everyone knows the exercise is coming, to complete surprises. Does your Incident Response program work with your Disaster Recovery or Business Continuity teams on their giant scope items? This could be a really revealing opportunity.
Lessons Learned. There’s a fantastic amount of opportunity in previous incidents to find places that could be optimized in the organization or the incident response. Getting a larger group together to talk through lessons learned and create real action plans around it can pay big dividends in the future.
Know your Context. Either through Outreach or Active monitoring, you can learn a lot about what others in your shoes are experiencing; and what the up and coming concerns are. Something as low touch as reading regular updates from places like PaulDotCom, or Dragon News Bytes is a great start. If you prefer the human touch; reach out to an industry group, a local CERT, other companies in your segment and have a once a quarterly lunch and learn.
Improve your Hygiene. Verizon DBIR often identifies that many failures could have been stopped by appropriately hardened systems, or earlier / better alerting. Strong usage of patching and vulnerability management software, as well as File Integrity Monitoring, Configuration Assessment and Log Management (especially if it comes with System State Intelligence) can help reduce your attack surface. (Tripwire has an app or 2 for a lot of that…)
Remove Temptation. Just like you don’t hang out in bakeries if you want to eat better; removing well known attack vectors from systems can reduce your threat surface. We often talk about adding more technology; but sometimes thinking about what you can remove will do wonders. Do corporate users really need Flash to achieve their jobs? How about Java? What security setting level can the browser be at without impacting the business? What permission setting do people have that they never utilize? This particular resolution does require a strong understanding of your business, since the goal is always to enable users to be successful.
I’m sure there are dozens of ideas out there for great New Year’s Security resolutions. I’d love to hear them, and others would to. Drop a comment, post to Twitter, let us know what you think!
Clock Image courtesy of Shutter Stock