IT Security is a huge and daunting topic, it takes an expert to stay on top of everything!
So much information, so much conflicting advice, it's difficult to know where to start, but not all advice is good advice.
There are some common messages that we really don't like. Here's our top ten ways that our industry is getting it wrong:
1. "Security Is Everything"
No, it really isn't! Being you is everything!
The primary purpose of any large enterprise is to perform their service to the best of their ability and to stay ahead of their competition. The largest companies in the world all have well-defined objectives, mission statements and strategic goals. Security might be part of that, but it's a supporting function, not "Everything".
As an industry, we need to leave behind this myopic focus on ourselves and put the customer at the centre of the discussion.
2. You Need to be Afraid
Nope.
Cyber security is necessary to protect against known and unknown threats to operations, reputation and employee safety. OK, that can be frightening, but once understood, this simply a fact of life that needs to be addressed.
At present the industry is stuck in a culture of fear and it needs to be changed. We limit ourselves and our customers by talking this way. Security solutions, implemented properly, provide greater opportunity to excel. Once security is addressed, it provides a platform for creative freedom, entrepreneurship, and innovation.
e.g. few people are so afraid to drive cars that they won't get in one. Instead, we use seat-belts, air-bags and crumple zones to keep us safe, then we go where we wish, take corners quickly, drive at high speed on the motorway.
IT Security Solutions should remove fear, promote confidence and allow users to think big.
3. Spending Big is Insurance Against Attacks
Absolutely not.
Writing a big cheque can demonstrate board commitment to solving the problem, but investment alone won't cut it. Ensuring that such investment is installed correctly, optimised and managed correctly just might. Better still, making the most of your existing investments can be just as productive.
There is no perceived "tick in the box" which can make the problem go away. It needs to be dealt with. Selling on fear belongs in the past.
4. Security is an IT Problem
Sorry, no again.
Yes cyber security is largely deployed in the IT office, but the implications of a breach are business wide, and security considerations should be in the minds of every member of staff, especially the executive team. Security strategy should be set at board level, reviewed as an agenda item and responsibilities should be owned by individuals and documented, with full procedures in place.
5. It Won't Happen to Us
Yes, it will and it does!
Every organisation, large or small, high profile or low key is at risk. The threats are widespread. It's not whether it will happen it's when. How you react and recover is most important. Without a robus security strategy, any enterprise is at risk, not just from attack, but from catastrophic failure when vulnerabilities are exploited and no remediation plan exists to put things right.
6. We're Safe in the Cloud, because large providers have security sewn up
No again. Read the terms and conditions, you'll find this simply isn't the case
The advent of "Cloud" computing and resources for large enterprise gives exciting opportunities but also brings unique challenges which need to be addressed as part of base implementation. Cloud providers are great at securing data in and out of their infrastructure, but that's not enough for large enterprise.
Simply having rudimentary protection at ingress and egress points is woefully inadequate in a large data-lake. Security is also required to segment data fields, restrict access based on various parameters (e.g. user groups), and authenticate against multiple cyphers. If not considered at architecture stage, Cloud deployments simply won't perform in the way we all hope.
7. Having a Plan on Paper is Good Enough
Nope. SHOW ME.
I can't remember how many contracts I've seen where service providers proudly state their DR policy and metrics about how often these policies are tested.
Don't believe the hype: have it demonstrated before your own eyes. If a provider can't literally pull the plugs and show fail over there and then, there's no guarantee it will work in practice, and whilst the payout from such a failure might be nice, it won't make up for the devastation caused by severe system downtime if something goes wrong.
8. My Application Providers Have my Back
Only partially, which is as good as not at all
Application providers talk a good game about security and how their systems can be augmented to ensure security across your network, but this isn't the case.
Any interaction between third parties and your core systems should be tightly controlled. We've lost count of the times we've seen holes punched through firewalls to enable a feature (support, monitoring, real time updates etc), but unwittingly, these third parties cause vulnerabilities which even the most tentative security policies can't allow.
Furthermore, application providers often profess to offer security solutions which span your network, but this is rarely the case. At best, they provide a basic layer which addresses their own solution well, and the rest of the environment adequately/poorly/not at all.
9. Point Solutions are Enough
Where there's a gap, there's a problem.
There's a myriad of point solutions in the marketplace which profess to get you through. They're tempting when considering a specific project or an individual requirement, but they fall down where their remit stops and another starts.
Good security should provide a solid foundation which spans everything you do, not just one specific aspect. Implementing a solid infrastructure, underpinned by great strategy is the only effective way to ensure your security is up to scratch.
10. My IT Support (Generalists) know enough to get by
Maybe your guys are super heroes, but most aren't.
It's a lot to expect a generalist IT team to be across everything, supporting applications in service, maintaining hardware infrastructure and keeping your networks running smoothly.
IT Security is a skill in its own right and expert help is needed to keep your investment running to the best of its ability. The biggest threat to security solutions is potentially the limitations of their implementation and ongoing management.
Getting experienced insight is worth every penny and frees your team to do what they do best.
If you'd like an off the record chat about updating your database security, or anything else security related, you can book into my diary here.
Best wishes,
Liz
