Security wellness takes more than a fad diet
Every year, millions of people make the same New Year’s resolution: to lose weight and improve health. But by February, a mere thirty days or so into the year, stats show 75 percent of us have fallen off the wagon.
The pitfalls are many, whether the resolution is vague and broad, or we neglect to set measurable goals and regular check-ins, or perhaps we’re just not really ready for change. Achieving a true state of wellness requires us to do important things like approach the issue holistically, benchmark and monitor progress, embrace setbacks, and spend wisely. It’s not an easy feat.
The infosec world sure can relate. Global IT security spending is expected to exceed a staggering $124 billion in 2019. But still, the threats continue to outpace it, with the cost of cybercrime projected to hit the trillions over the next five years. I see surprisingly similar parallels between personal health resolution woes and organizations’ attempts at wellness for their security environments.
As our industry shifts away from the fad diet approach characterized by throwing money at point solutions that address individual problems with band-aids and, instead, moves toward attaining – and maintaining – a state of health for our environments, security leaders can use the following four wellness tips to their advantage.
Take a holistic approach
Like the dizzying array of diet and exercise options offering a quick fix, the security landscape is a confusing one, made all the more complex by the sheer volume of available solutions. The smart approach to safeguarding an organization sounds a lot like holistic care, which is a method of treating the whole person, not just a certain area. It helps to view your security environment similarly.
People, process and technology all play an important role here – and not any one of the three can succeed without prioritizing the others. As it relates to the technology piece, we need to create an integrated system or chain of defense that prevents attacks before they’re launched, detects attacks that can’t be prevented, and remediates intrusions faster to prevent data theft or business disruption.
Benchmark and monitor progress
You can’t set and forget a health resolution and expect to see results. Much like running a mile and then re-testing your time in subsequent months to get a status update, benchmarking security controls is a must, along with identifying sensitive data and assessing risks – all in an effort to reduce risk exposure and secure data, systems and assets.
Recognize the importance of automated monitoring of devices, both inside and outside of the network. Not only do you need to monitor the health of your security agents, but also make sure you are monitoring for sensitive data and unauthorized software on the endpoint. Keeping tabs on the software installed on your endpoint devices is as critical to your overall security success as having an accurate picture of the devices themselves, because patching is an eternal struggle.
Resilient mindsets treat a dieting setback more like a setup for a comeback. In the security realm, it’s not a matter of if but when an attacker will penetrate your defenses. There are just too many ways in, and not enough people in the world to watch everything every minute of every single day. You work incredibly hard to mitigate the risks inherent in operating and managing technology today. But it’s inevitable that something will happen. You must be ready to react if and when an incident occurs, you must have a plan and process in place for dealing with an incident, and you absolutely need to practice this plan to be ready for it. Ultimately, you can – and should – prepare for, learn from and rebound stronger after setback.
Chances are you’ve already got the resources at your disposal that you need to get your security environment in shape. I’d also wager that somewhere along the line you’ve wasted money on unnecessary gear. As it relates to endpoints, for example, organizations simply are not activating – or are incorrectly using – security tools that are already deployed on their endpoint devices.
Given the likelihood is high that you have made endpoint security investments of some sort, let’s recognize the importance of verifying the security tools you have put on the devices themselves are, in fact, functioning properly and that the data on them is secure – that is – before jumping to add another tool into the mix.
Getting started, or pushing through the plateau, on the path to security wellness is not simple, nor is it something you can do in a single day – it takes time, planning, the right resources, training, and support to build a solid foundation. My hope that by starting with these core ideas, you’ll find inspiration as you hone in on and advocate for measures that can affect positive change within your organization.