Organisations often pay lip service to security "Oh yeah, security is important...pass the sugar please" but don't properly fund and hence resource the information security function. Once a security incident occurs its all "who do I pay to make this go away". The unfortunate reality is that a security function is a slow moving beast, and a rapid cash injection doesn't realize immediate results.
Most improvements are made through people (new capabilities introduced) and process (repeatable documented processes for key security controls especially documented usage of built in security functionality in systems) not shiny new toys. Good information security people are in short supply and getting the wrong people can end up with your organisation stuck in "analysis paralysis" or "compliance tunnel vision". Without the right people embedded in your organisation how does your organisation you uplift processes or even understand the reports/processes written by your consultants?
If your security function is effective, will there be a reduced number of security incidents due to your effective prevention measures? Potentially there will be more security incidents discovered because you are checking logs and looking for evidence of a compromise!
If your security function is in-effective, there is likely to be security incidents, but you won't know about them! We're not in the 90s anymore where security incidents were all digital vandalism style web defacements. Attackers these days are often criminals who don't want attention drawn to their activities.
If you are a CISO or perhaps someone with a keen interest in security at your organisation I suggest you try and remember the following phrases in case of a security incident:
"Who do we task with responding to this security incident? Gee I wish we had a CISO to organise us"
"What did you say? The SOE doesn't have security patch requirements? Well let's note that for further attention".
"What an accidental misconfiguration of a system let this happen? Hmmm.. How could we perform compliance checks in future of production systems?"
"Sorry, you say that the evidence of the compromise was there in the security log all the time? How can we automated review of these logs in future and assign someone to action the alerts generated?"
"An application security flaw you say allowed this incident to occur? Perhaps we should suggest security requirements for applications in the post incident review for this incident".
I suggest you forget the following phrase "I told you so"
Why nation-state attacks are everyone’s problem
Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.
An interview with CSO's David Braue and Ian Yip, Chief Technology Officer, McAffee.
According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities