Revolution is in the air: Re-examine existing practices
John Stewart, Cisco
Security professionals continue their efforts to protect IT infrastructure from those who would disrupt society and business, steal information or do harm. Across our industry, there is a rallying call for revolution – one that re-examines our existing practices and behaviors to course-correct and lead the way to a more assured future.Our world is quickly evolving, and electrifying new technologies are leading the way. Today, we don't use technology, we rely on it. Whole societies are running on the technological advancements that continue to change our way of life for the better, yet this progress also creates new challenges. Security professionals have to be persistently more creative, agile and responsive just to keep pace.
While we have moved the needle on improving information security, there is still a ways to go. Albert Einstein defined insanity as “doing the same thing over and over again, and expecting different results.” So why do we continue to rely on traditional practices, such as patching and anti-virus, to protect our critical assets when the rate of technological evolution has rendered these approaches virtually ineffectual?We have built complexity into our IT systems and have relied on common practices for far too long. The complexities we face are vast and asymmetrical. It's expensive to do everything we need to protect our assets, yet still far too easy for a miscreant to do harm.
We're in an unfair fight. To level the playing field, we need to challenge traditional thinking around security and make the penalties for hacking more punitive. In fact, it's time to rise up, get fighting mad and force an insurgency that will bring revolutionary change to how we protect our information assets.Let's get back to basics. Do less…and do it well. Create simple goals and strategies to keep the bad things out while protecting the most critical assets. Gauge for detection to understand what is truly occurring in the infrastructure, and then analyze and validate the data frequently to measure effectiveness. Most importantly, stop building systems and adding security on later. Instead, architect them with security embedded from design to operation.
Don't do it alone. Apply an “eye-in-the-sky” approach that provides global visibility into the overall condition of the IT infrastructure and threat, and more effectively helps to protect the things that need to be protected. Prepare a contingency plan for when something goes wrong, and then work hard to make sure it doesn't.Human curiosity can't be ignored. Links and attachments want to be clicked, and all the security controls in the world can't stop ignorant, imaginative and/or malicious users from hurting themselves or the organization. Most employees are unknowledgeable, inexperienced and ill-equipped to contend with increasingly dynamic, risk-prone and open operating environments. And most don't have a clue about technology security, and don't want to know. We must boldly educate users about the importance of their role in protecting the organization and themselves. We must also encourage their participation and hold them accountable.
Help is available if we know where to turn and what to ask. Reach out to local law enforcement and international protection agencies, which can help understand, manage and mitigate risk. Find ways to illuminate the problems and ideas publically. Share ideas that work and know where to get answers from others, as, ironically, we're all facing similar challenges.Remember: No matter how much you think you know right now, “tomorrow” will surprise you, so be prepared. Your call to action: Join the revolution and help us all move to a more secure future.