Mav Turner, director of security, SolarWinds
Mav Turner, director of security, SolarWinds

It's hard to imagine a time when a high-profile security breach wasn't making the headlines this year. Just ask the IT pros of those companies affected, from consumer retailers to enterprise computing providers, and likely they're still wading through the aftershocks or just beginning to determine how to avoid similar events in the future.

2014 taught us that organizations cannot rest on their laurels and the security team needs to be in a state of hypervigilance in terms of safeguarding the network to protect data, operations and public reputation. However, often lost among the screaming headlines are the failings of a solution-based approach to security that merely “waits” for an attack, then mitigates potential damage. The new security practitioner must go on the offensive by building a proactive security plan that seeks out and eliminates potential threats before they pose a risk.

This is precisely why developing and implementing a proactive security plan will be a critical component of 2015 IT priorities.

Why is a proactive security plan important?

The new security professional cannot simply set up a good (or even great) defense and walk away. The ability to react quickly when a security issue arises is important – but attackers are extremely resourceful and great at quickly evolving. For example, an attack may not be designed to take advantage of one single, new threat to an organization, but rather a collection of undetected or unaddressed vulnerabilities – which means attackers can inflict maximum damage with minimum effort.

What's more, we're not just seeing bigger industry players being targeted. Rather, organizations of all types and sizes are being affected. Even small businesses without a lot of “traditional” assets are prime targets simply because they're easy targets, or have enough data to be useful in launching additional attacks. Consider all types of data that can have value, including but not limited to payment and financial data, customer contact information, proprietary intelligence and even product development plans. While large businesses can likely survive, this kind of event can take down an entire small bank, credit union or retail outlet. In other words, attackers are just as attracted to targets of mere opportunity as they are the virtual goldmines of companies affected by the major breaches seen in recent headlines.

How is IT making itself more vulnerable?
Businesses are becoming accustomed to moving at the speed of IT and the technological innovations that enable greater efficiency, faster time to market and increased revenue. However, this also means that the network is constantly changing. Consider the effects of bring-your-own-device (BYOD), VPN, the rise of SaaS, consumerization and even the Internet of Things (IoT). IT needs to actively review how these changes create additional risks and security holes that attackers can then leverage.

Oddly enough, compliance can also contribute to a more vulnerable security state. While more frequent, comprehensive compliance checks only stand to benefit the organization in meeting government and industrial body requirements, the security team cannot assume that compliance equals security. It's important to not fall into the trap of thinking that if one adheres to compliance requirements, security is assured. To address this, many regulatory bodies are starting to specifically state that compliance requirements will not ensure security. PCI is an example – even if a company passes an audit, they can still be fined if a breach occurs.

Add to this the typical barriers for IT to enact a more proactive security plan, including a lack of time, personnel resources and ongoing educational opportunities to learn about the evolving threat landscape. The presence of silos between web, security, development, virtualization, systems and other teams – compounded by what some organizations still experience as separate monitoring environments – can make it difficult to know where to begin.  

Four ways to implement a proactive security plan

We recommend the following tips for implementing a proactive security plan in order to supplement ongoing reactive security measures:

  1. Document everything – By maintaining records of procedures, every IT employee – not just the security admins – can immediately step in to ensure ongoing maintenance and implementation. This includes internal contact information, vendor and security tool information, incident response policies and more.
     
  2. Take a data-centric approach rather than a network-centric approach – Instead of thinking in terms of the number of VPNs or where to install firewalls, IT should think in terms of where and how data is stored, and how attackers will try to access and use it. Break it down in terms of the most sensitive data first and work out from there.

  3. Assign a dollar value to risk in order to show direct impact of how security success – or failure – directly impacts the business. – This will not only gain corporate buy-in toward resources and personnel, but showcase the value of IT security as a true revenue protector within the organization.

  4. Consider what kind of IT tools are really needed according to business needs. – High-end, complex, enterprise-grade security tools are only helpful if they're being used correctly and to capacity. IT tools are far more effective when they directly meet business needs, aren't constantly scrutinized from a budgetary perspective, and are easily implemented and used on an ongoing, regular basis. 

IT professionals are responding to increasing cries for proactive security, but the important thing to remember is that it's not a one-time event – proactive security plans evolve monthly, weekly and even daily. Better yet, the best proactive security plans involve all aspects of the organization: the security team, the IT organization as a whole, business leadership and even everyday employees. By being proactive, the new security professional can greatly decrease the chances of their company becoming the next breach headline.