Internal TrustsJust like we have internal networks and systems that are trusted we should look at some of our internal teams as trusted sources of information. If we can’t treat them as trusted sources, we should look at how our technology has evolved to address the issue. We don’t always deny connections. To address information that could be relevant, but doesn’t have a trust relationship yet, let the connection come into the sandbox and learn what it’s trying to communicate. When building relationships with people a zero trust model is rarely effective. This doesn’t mean we should no longer look critically at past decisions or the answers we are given. What it does mean is we should assume there were reasons for every decision. We should assume internal finance teams, IT teams, and other groups have valuable feedback we can leverage to avoid pitfalls in our security program. There should be an internal trust that is constantly examined and only denied once the trust is violated, not before.
Layer 8 RulesOSI Layer “8” is Management. You can explain everything from Layer 1 to 7, but if you don’t have management buy-in, you won’t get anywhere. Develop the relationships with management teams first. Work with them to understand what the business needs before trying to engineer a security solution. Oftentimes, critical issues that could kill your new controls could be avoided with a conversation. Creating rules of engagement that facilitate communication with “Layer 8” will help you develop the right controls.
Behavioral Based SecuritySecurity nihilism is accepted too quickly. If we can’t have perfect security, then why bother? Rarely is a security control perfect. We shouldn’t blindly reject improvement. How can we move in a positive direction in regards to securing systems every day? We need to look at behaviors and reinforce positive change. If people know the right thing to do, more often than not, they will do it. When they are generally improving the overall security of the organization, we should encourage the behavior to continue even if it’s not perfect. Information security technology evolved rapidly over three decades; we now need to evolve our relationships. We need to update our methodologies for engaging with our people. Let’s whitelist relationships with our peers and coworkers so we can find a common path to better security.