Opinion: There's no magic pill for security

Real security only comes with a lifestyle change, serious commitment and determination

As happens every January, when the new year arrived a couple of weeks ago, I saw a lot of new joggers and dog walkers out on the roads in my neighborhood. I've heard that gyms see a spike in business every January as well. In both cases, after a few weeks, things revert to about where they were before, as most of those who resolved to get fit in the new year fall away.

The problem is that real fitness is not achieved through a quick fix. It's an entire lifestyle, not a couple of jogs around the block.

Parallels can be drawn to security, be it information security, application security, software security or any other security discipline.

For many organisations, certainly, the quick fix can be tempting -- and it's just as illusory as the fitness quick fix. Again and again I've seen organisations that otherwise are lax in security matters commission a quick penetration test of whatever software or app they're deploying. They hope the test will give them an easy list of things to fix and leave them -- ta-da! -- secure. Even worse, they might go out and purchase a firewall, IDS, application firewall or some other product they heard about at a trade show and expect it to magically secure their shoddy software.

These things are to security what a pill that promises to burn fat while you sleep is to fitness. In both cases, the only thing you end up burning is cash.

Real security only comes with a lifestyle change, serious commitment and determination. It requires sweat and pain at times. But the results can be worth all that effort.

If you are ready for that kind of commitment, then the next natural question is where to begin. Quite simply, you need a plan. Failing to formulate a solid plan is what trips up the New Year's resolution crowd, and the same is true for organizations seeking better security. If you're out of shape, you shouldn't expect that you can just put on the sweats and running shoes and run a few miles on New Year's Day. Getting to wherever you want to be is going to take time, and should be planned accordingly. Start with the small things and gradually increase.

Here's how I would recommend easing into better security shape:

  • Decide where you want to end up. Do you want the absolutely best security program that money can buy? Are you aiming to do things only as securely as other organizations in your field? Do you want to do the bare minimum to avoid some regulatory sanction? Thinking about questions like these will help you determine what you can afford to do -- and what you can't afford not to do. Set a target, and then get senior buy-in and commitment for getting there. A fine example of goal-setting is the famous Bill Gates "Trustworthy Computing" memo, sent to all Microsoft employees in January 2002.

    In it, Gates wrote, "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Those simple words sent Microsoft in a new direction and continue to shape the company's actions today.

  • Next, critically assess where you are now. Just how bad is it? Whether you do the assessment yourself or hire consultants, you should emerge from the process with a candid understanding of your current state -- no sugar coating. And if you haven't done such an assessment for some time, do it again. It's worth updating that "before" snapshot from time to time.

  • With your goal in mind and your current state understood, establish milestones. Start with bolstering the most glaring weaknesses uncovered in your current-state assessment. Plan and budget them out over a realistic timeline. Build each milestone into your organizational goals and your staff's personal goals. Plan to measure successes (and failures). Reward those who succeed, and punish those who don't.

There are plenty of resources to help along the way. For example, if software security is your responsibility, consider reading and participating in the Build Security In Maturity Model (BSIMM). It's a great way of assessing your current state by comparing your organization's practices against others, including (most likely) some in your specific industry sector.

Whatever path you take, be prepared for the hard work of getting into security shape. Just as there are no magic diet pills, true security doesn't come with buying a product, even if it's from a reputable vendor.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Parallelssecurityapplication securityAccess control and authenticationMalware and Vulnerabilities

More about BillCarnegie Mellon University AustraliaCERT AustraliaMellonMicrosoftParallelsPara-ProtectTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts