For any CSO or CIO, you are charged with protecting the enterprise. That’s a significant responsibility and you know darn well that your reputation indeed your role depends on how well you can manage through the issues that will arise.
How do you with a limited budget, provide the protection that the Board and in particular the Risk Committee is expecting?
First, let me quote Salman Rushie:
"There is no such thing as perfect security, only varying levels of insecurity."
Hmmm that’s an interesting perspective, but there is truth and insight in that statement.
No such thing as Nirvana
I believe that indeed you can achieve good but never perfect. For most things in life this is absolutely true and IT Security is no different. How then do you work out what is going to be ‘good’ enough?
Spend alone is not a good indicator of ‘goodness’. In most IT shops we always install too many tools, that overlap in functionality and we don’t often use these products to their full intended value.
Recently in a discussion with a number of Architects I was explained that all three of these IT Security tools were mandatory and ‘must be’ in place. Of course as you start to ask questions around why and how come, you learn that actually one of these was ‘important’ and not ‘mandatory’.Read more: Seven things government security leaders expect vendors to address
The issue really isn’t about which tools to use. It is more about clarity of purpose and knowing that every action is taking you towards the required level of ‘good’.
Never declare victory
Yes, this is an endless journey and persistence is going to be an incredibly important attribute. You can never say that the work is done, but the balance will be to recognize the progress and keep a strong sense of self awareness of what is critical.
In IT Security, there will be constant shifting sand around what is the latest Malware of Advanced Persistent Threat (APT). This does take a certain mentality that combines a degree of paranoia along with a structured thinking approach to understand where to apply one’s limited bandwidth.
Never declare victory, as Murphy’s Law will always work against you. I once saw the Chief Security Officer of a Big 4 Bank declare at an external SIBOS event that his company had advanced security and ‘was in great shape’.
While I was not working for that organisation, it made me squeamish…..
Patching, Patching, Patching
I’ve seen so many cases of Security 101 being totally ignored, with teams just too busy to do the simple things such as patching. In a similar vein all the usual audit chestnuts such as access control and privileged access.Read more: Is penetration testing still effective?
Show me a company that always does the simple things right over the long term and I will award you a prize. Unfortunately human nature and staff turnover end up with less than optimum results.
Then patching becomes a major finding……..I can see you smile as I’m sure you have had this situation. There is always another priority that trumps your activity to patch that server.
The answer has to be that we need advanced analytics to detect and respond to patterns of threats. In today’s world the CISO has to deal with a continuous stream of data from various internal and external sources.
There will be ‘too many false positives’ and the trick is to be able to filter through the ‘noise’ and get onto correcting any real vulnerabilities.
Big Data is at an infancy stage in many organisations, but this is a domain where machine learning can make a massive difference.
That exactly is part of the problem, and no one wants to admit to be either at a position of strength or weakness. There is only downside to declare this both internally or externally.
This lack of being able to measure best practice and replicate this, means that the bad guys get a free kick.
But let’s remember that actually no one is perfect and that there are only different levels of insecurity.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here