With 2011 upon us, it is time to reflect on the events that affected IT security last year.
Lessons were learned, but the knowledge was hard won. Data breaches driven by Stuxnet and WikiLeaks dominated the headlines, while the industry suffered from employee churn in a continuing slow economy.
Perhaps the only good news was the 15 percent increase in server shipments in the third quarter.
Based on conversations with IT Managers and CIOs, here are my predictions for the security manager's wish list this year:
1. Tools that allow us to “trust but verify."
WikiLeaks unmasked the insider threat and beleaguered CEO Julian Assange hints that more megaleaks will be released, including allegedly damaging information about a major U.S. bank. We obsess on the perimeter but in 2011, defense-in-depth is the byword, more than ever. Disabling all media devices, such as CD/DVDs and USBs, would hurt productivity badly but leaving them wide open is just as bad. Tools that allow us to trust but verify are necessary for maintaining what the U.S. Army calls “situational awareness."
While it may not be likely that your organization will make headlines because your private corporate data has been exposed, the underlying root cause of WikiLeaks – internal threats – remains a constant struggle for organizations of all sizes. This can occur by accident, or by the actions of a malicious employee.
The key is to appreciate that you may not know your employees or their motivations as well as you think you do. It is important to monitor each and every employee's behavior in the IT infrastructure at all times. This can be done manually, or through automated means, by examining the data provided to you by all the components that make up your infrastructure.
2. Trained, certified security expert on staff
Every CISO feels understaffed for the challenges at hand. Most organizations have already made investments in security tools – but having a trained staff that knows how to use them for maximum effectiveness is as important as having those tools.
3. Securing the virtualization layer
Companies across the board are seeing virtualization as efficiency.
The server sales increase reported for Q3 was highest for “skinless" servers – meant for data centers and running virtual machines. It is rare for the CISO to be able to include security from the beginning of an initiative – most IT infrastructures are a result of organic growth over the years in response to business needs.
This is an opportunity for IT managers to start from scratch, taking the lessons learned from the implementation of their traditional IT infrastructure to make security of the virtualized network the cornerstone for this endeavor.
4. Sensible regulation
Most CISOs are tired of “checkbox” regulatory compliance, which does little to actually improve security and instead burns up precious budget dollars in bureaucracy.
Initiatives such as the SANS Institute's Consensus Audit Guidelines and the NIST configuration assessment checklist are helpful in taking advantage of the 80/20 rule, where 80 percent of the benefits accrue from 20 percent of the effort and spend.
5. Smarter users
Users are both the reason for the IT infrastructure, as well as the bane of the security team's existence. Internet access and users are the cornerstone of the infrastructure. Many CISOs want better security awareness and training for the user community.
There are things that can be done to improve the knowledge of your IT users.
While it would be nice to send them all to an IT boot camp, that is obviously not practical.
Instead, constantly train your organization's employees on the established processes and best practices they should follow, and strictly enforce these policies.
Let them know you are watching, and they are more likely to behave.
While this wish list comprises general security items that every CISO wants, there are plenty of other needs that might be on the list: third-party security audits, an independent consultant to review the company's security defensive measures; IDS or SIEM solutions; or biometric devices, tokens and smart cards to eliminate passwords.
Remember the old nugget – the more things change, the more they stay the same?
It is like that in IT security.
If you feel I just played musical chairs with the top wish-list items that have stayed about the same for the past years, you are quite correct.
We should not waste a good crisis so, just as we leverage the fear of an upcoming audit to improve our processes and tools, we should also use the WikiLeaks episode to improve our defense against the insider threat.