Over the last few months, since I started writing articles for CSO, I have had quite a few people approach me asking about my opinion on different security solutions. I don’t mind sharing my opinion on things, but they are just that; my opinion. I like what I like and am very happy to burst the bubble of any security solution that tells people their solution will protect them from all threats and that nothing will get through.
This is the biggest load of crap, but I keep hearing it being sprouted to customers by vendors and other security service providers. STOP telling potential customers that your new suite of cloud security products or some fancy new physical firewall will protect them from all threats that may come their way.
This really gets under my skin when I hear a pitch being spun this way, NO systems or protections are 100% perfect and can defend your organisations from ALL threats 100% of the time. Yes, there are some great systems out there that can give you really great protection, but true security is about more than just buying the latest and greatest protection and saying “I am protected now, nothing else needs to be done”. Whoever is selling you that pipe dream is worse than a slimy car salesman.
Don't fall for the hype. Do your homework and talk to security professionals about what you should really do to protect your systems, many will be happy to point you in the right direction. Not all will agree on the best solutions or practices that will work for you as we are only humans after all and will have the favourites that we like to use more than others sometimes for stupid reasons that only make sense to us. The point is don’t fall for the silver tongue sales person who is trying to sell you the cybersecurity version of that stylish, new red convertible with nothing that can get in your way, trust me you will regret it in the long run.
There is no silver bullet solution that will protect you… Yes, that is correct, but it does not mean you should stop trying to make your systems safer either, instead ensure that you get a solution that provides the features that works best for your environment. Make sure that you have a good set of security policies, train your staff so they know what to look out for and make sure that they are comfortable with approaching your security/IT team if they are unsure about something (chastising people or making fun of them is never helpful when trying to educate them). If you can make them feel as though you are here to help and have no judgement they will come to you when they see something funny and this goes for the staff on your IT helpdesk as well. They are the people who see all the issues and can hopefully give you a heads up that something is going on that could help stop an incident or breach before it goes too far.
Patch your systems more than once a year (Please do this, such a simple thing can be the saving point – yes I know some of you may have systems that makes it hard to do regular updates but just because it is hard doesn’t mean you shouldn’t still do it as much as possible), ensure that all systems are run through a hardening process before you put them into a production environment (yes I know you have deadlines and you don’t really have time to do this – Make time, you will be grateful you did later) and don’t just stop there after you put in the newest security protections.
Security is a work in progress; keep working on making your systems more secure and you will be as prepared as you can be when an incident occurs.
Let us do a quick recap – do not trust the silver tongue sales person selling you the silver bullet solution (that new red sports convertible) that will solve all of your organisation's security problems and enable you to reduce your security team. What they are selling you is pure science fiction; it is as simple as that. Get the option that best meets your needs but do it with your eyes open and don’t fall victim to the hype of the next best platform that has just thought of a new way to sell you the same thing that all the other vendors have been probably been doing for years just with a fancy new name.
Cover your basics and remember that security is always a work in progress. Keep making improvements and working towards the best security you can, and you will greatly reduce your risk of a breach. A final note on this though, some breakthroughs really are breakthroughs (remember the do your homework comment), if the new solution really checks out and it will solve a problem in your systems then go for it...