There is no doubt about it: Information technology is advancing at an alarming rate, and the sophistication of threats against those technologies is escalating at an even faster pace. Advanced threats, such as non-signature-based malware; protracted, persistent and targeted threats; hacktivism and many other types, push companies and individuals between the proverbial rock and a hard place.
Technologies enable business and, thus, enable our economies. Unfortunately, embracing these technologies increases our risk. This upward spiral also escalates the monetary price we believe we have to pay to fight the threats. However, we aren't fully using the basic tools and resources already in place.
The majority of security breaches investigated for a recent IBM report stemmed from inadequate maturity of basic controls. Yet, a strong and mature foundation – already in place – will slow the pace of this endless race.
Security programs have been and will continue to be built around fundamental security principles: access control, least privileges; defense in depth; configuration and change management; standards and compliance, etc. Tools and processes supporting these abound, and companies have spent an extraordinary amount of money implementing them.
Unfortunately, we continually fail to push them to their ultimate capabilities. Instead, we install, walk away and lose interest. As security practitioners, it is our professional duty to build solid foundations in the security basics, hedging the tide of hype which fools us and our leaders into diverting our attention to the shiny coin. These foundations have to include full lifecycle enablement, continuous monitoring for improvement, and metrics guiding decision-making and maturation.
Until we succeed in managing the basics, we'll fail in addressing the advanced.