In the midst of these heady times of rapid change and advancement, there is a growing consensus that it is time to take a step back and reassess the bigger picture. There has been so much focus on information security technology for technology’s sake, and on using that technology to ensure compliance with specific industry regulations, that we are losing sight of the end goal. It is imperative that businesses return focus and resources to what really matters: mitigating risk, protecting corporate and consumer data, and preventing negative incidents. It seems we can’t see the forest for the trees, in other words.
Detection and remediation were hot topics at the recent RSA Conference. Specifically, auto-remediation, especially for malware on end-points, was widely discussed. This was likely inspired by incidents like Target, where they had a very good, leading edge anti-malware technology, and the issue was detected, but they did not have the auto-remediation turned on. Their explanation was that the technology was so brand new, they did not yet feel comfortable turning on that part of the system. Now we are getting closer to the heart of the problem – not the technology, but the processes, people, and culture behind it.
Technology by itself is not going to solve all the problems. If a company does not have proper policies for implementing the technology and deploying it fully, the technology cannot help as it was designed to. If the culture of a company is such that efficient and thorough deployments are not supported, that is an ongoing and underlying issue that will always be a chink in the armor the technology is supposed to provide. We’ve seen from the fallout of the Target incident that they are a prime example of a flawed culture; the IT team raised concerns about the very system that was eventually compromised just days before the incident. But the potential security lapse was seen as not as important as the focus on the busy holiday season. Those raising concerns were told, ironically, that the timing was not right to make the suggested improvements.
The only way you can make authentic progress is by focusing on all four areas. Perfecting the security culture throughout your entire organization, including all your suppliers, is obviously not possible. In terms of people, the security industry is currently 1 million people short; we do not have enough trained workers for all the security needs we have identified. Assuming we are able to train and hire all those workers in coming years, we will see the same problem when a new breed of threat emerges and further training and staffing is required. As always, working smarter is of paramount importance; identifying the most critical points of vulnerability where the most damage can be done, funneling resources into those points efficiently, continuously monitoring for results, and communicating lessons learned throughout the enterprise.
A few years ago, there was a big argument among analysts that compliance engenders a false sense of security. It was counter-argued that compliance was doing a lot of good, that without it many security programs would not exist. In the long run, looking back, it can be argued that compliance has done more harm than good. Consumers think they are more secure, but if companies are only aiming for the rubber stamp, they are actually less secure. No matter what technology you use, compliance regulations without teeth (measurement and enforcement) will undercut true security. There is a plethora of metrics we should be looking at, but at most we are focusing on the one or two required for compliance certification. A “checkbox mentality” will not protect your assets or your consumers’ data.
The continuous monitoring and measurement that is essential to truly addressing known and emerging threats is a massive undertaking. It requires focus, discipline, leadership and innovation in all four areas we’ve discussed: people (trained, skilled information workers), culture (a true concern for protecting consumers, leadership for the big picture, and priority setting), process (you can’t improve what you don’t measure, what are you doing with the technology once you buy it), and technology (do you have the latest and greatest, is it implemented properly, are you monitoring it, is it integrated across your entire enterprise).