Sean Mason, Vice President of Global Customer Success, Resolution1 Security, discusses major information security themes for this year and advises enterprises to draw up the following New Year resolutions. We live in a different world than the one we lived in years ago. Most security professionals were content to have time to play with some logs, install a new Intrusion Prevention System, or get a sample of malware and try their hand at reversing. Generally though, most security professionals were relegated to a world of firewall administration, user authentication, and compliance (let alone the value-add security documentation that goes along with that…).
As we’ve continued to see, times have changed and Chief Information Security Officers (CISO’s) and their teams are expected to do considerably more now. The reality is that if you are CISO in today’s world, you are on point to fight foreign military units and organised criminal enterprises.
Below is what I expect to be the major Information Security themes for this year and it would be well advised for enterprises to draw up the following New Year resolutions:
1. Quit wasting time
Hackers do not work according to your schedule. There is no such thing as “end of year” or “holiday weekend”, and there hasn’t been for some time in the cyber realm. Making plans to “get started” after a holiday or a weekend is exactly what adversaries expect you to do and is why they will continue to exploit companies with that mentality. Spending months doing POC’s on technology, putting off hiring or budget requests, waiting to deploy technology and other approaches that introduce unneeded delays are tactics proven to fail. Accelerate everything now.
2. Focus on security, not compliance
Compliance has failed us. Prevention has failed us. How many attacks need to be reported by the largest companies in the world for CIO’s & CISO’s to rethink their approach? The companies that are successful in information security understand that the only proven means of mitigating damage by attackers is to spend resources on detecting and responding to attacks- identifying them and shutting them down as quickly as possible before they escalate. Would you rather be out of compliance and pay a fine, or deal with a crippling Sony-like attack which will end up costing your company hundreds of millions of dollars?
3. Be proactive defending your network
Even if you have an internal Service Organisation Controls (SOC) & Incident Response Team (IRT), or an external Managed Security Service Provider (MSSP), you still need to proactively look for threats on your network outside of the normal day-to-day operations. Either leverage your internal teams to hunt for anomalies that signal compromise on your network, or hire an outside firm to do it for you. Incidentally, penetration testing is not hunting.
4. Invest in & hire new college graduates
Last, but not least, it is common knowledge that there are not enough Information Security professionals in the world. Don’t waste months hoping and trying to find the right candidate or worse- throw your hands in the air and claim you simply can’t find anyone. Take the time to open headcount dedicated to hiring information technology graduates from your local college and put them into information security roles. You’ll be surprised how quickly they grasp the concepts and add value to the organisation.
What you don’t see in these resolutions are items related to Intel, Mobile, or Cloud; those are simply realities we have to live with. What these resolutions represent is a mind shift and ultimately adjusting the way organisations operate. They won’t be easy, and in many cases will be considerably hard to execute on. However, a new way of thinking and conducting ourselves as Information Security Professionals is required, to have any chance of being successful and taking back control over our networks.