Over the past several years I’ve had the pleasure of meeting with many Enterprise Customers who have INFOSEC Responsibility, and representing almost any vertical market segment you could imagine. I’ve often found, however, a pattern where customers may not always initiate very fundamental aspects of information security, that when executed, would help lower their overall risk.
This is the first of a series of articles where I’ll do my best to articulate these common areas of improvement based on my numerous discussions with security leaders. With security breaches now becoming a daily occurrence, It’s more important now than ever to get some of the “Low Hanging Fruit” correct.
Understanding your overall risks – more than a gut feeling
Often an organization may plan their security budget looking to deploy new technologies which may also be costly. While there may be merit in doing so, one must truly understand where your risks lie, and create a logical pathway toward completion.
For example, a customer may not examine their firewall rules periodically and may have ports which are no longer used and/or applications which have since retired - This is clearly a risk which should be avoided. So what should the average security leader do?
I strongly encourage our customers to engage an objective 3rd party who can understand their business requirements and take an objective view of your environment. These professionals have the seasoned experience in multiple environmnets to assist client organizations in their understanding of risks. They also can help to create a more cost effective roadmap for implementation.
It also provides the typical security director with the data to update senior management of their risk profile. This is especially important for new security leaders within an organization. It’s prudent to understand your current risks as a baseline before charging ahead. You may not know that the “Back Door may be ajar.”
Three Common areas of need:
Security Policy/Mobility – Mobility Devices & Applications are now being rolled out by many of our customers to increase productivity and revenue. While it’s important to utilize the technology to remain competitive, it’s important to note that installing Mobile Device Management capability on a device is only part of the equation. While it’s certainly a critical component, issues such as BYOD, Application Security, Compliance Requirements, Employee Termination, etc., must be addressed prior to rollout.
Employee Awareness – It’s more important than ever for employees to understand that security is everyone’s responsibility and not just the security team. Many of the current threat vectors leverage phishing attacks which may download malware which is not yet identified by the current AV providers. A trained eye may prevent the downloading of some form of malware. Senior Executives must be especially vigilant as the bad guys often target individuals who have access to privileged information.
Application Security – It’s only logical to infer that the software we develop may have flaws since we are human. Many organizations who develop their own externally facing software may not be taking the appropriate precautions to protect their environment vs. typical threats ( eg. SQL Injection and Cross-Site Scripting attacks).
It’s therefore important to insure your team executes an ongoing software development and lifecycle program which insures the code you develop and ongoing modifications are properly tested. One must realize that typically your application is just one step away from your data – not securing your application could result in a breach, causing possible reputational and compliance challenges.
In summary, there are many facets of an organization that would benefit from an objective security assessment from an experienced organization and typically assess a variety of controls. The three I mention above are fairly common, based on my experience meeting with Enterprise Security Leaders.