If only securing your business was like killing werewolves. All you’d need is a trusty silver bullet and your problems would be solved.
As we saw at our first ever IEF Security Council conference call, such thinking about information security is naïve. Not only is there no “silver bullet,” no magic box to do away with all your risks and obstacles, but the stakes have never been higher. Threats are climbing, while the pool good talent is shrinking.
Joined by three top-level security professionals, as well as Softchoice’s own security practice lead, this one-hour call was full of insight and advice to help IT security and business leaders tackle this plight.
Part 1: Big Challenges Facing IT Security
Before we get to the solutions, let’s closely examine the terrible state of affairs the CISO is facing today. Our guest speakers took the lead on describing several all-too-common hurdles and risks putting security on the line.
Briefly put, it’s a mess. In more detail, and in no particular order, these are the key security challenges facing IT leaders in 2016:
Prioritizing new solutions:
Having lots of great technologies to choose from sounds great, but it’s causing confusion, and slowing progress for many. Today, the abundance of “revolutionary” technologies has made this issue a critical one.
Think about the cloud, big data or mobility. Just as security is catching up to these new surfaces of attack, the Internet of Things (IoT) is added to the mix.
“How do you prioritize when something new keeps coming on the scene before you had time to wrap your arms around the last big shiny new thing?” asked Chris Poulin, the IBM security strategist.
Lack of resources:
Perhaps, nowhere is finding the right resources so crucial yet challenging than in the security department. Indeed, George Myrtos, Softchoice’s security lead, mentioned a statistic showing that tens of millions of open positions remain in the market for specialized security jobs – yet the pool is only be getting smaller.
“It’s a human resources problem,” said Dell’s Tim Brown. “We are seeing a lack of qualified people that can address these issues.”
From phishing to whaling to ransomware, it seems as soon as one problem starts to fade away, another comes blaring onto the scene. Worse, IT experts explained that access to personal information on social networks has only made the problem of social engineering attacks easier for the criminals.
“These targeted attacks (using social media) are increasingly more difficult to protect against,” said the Vice President, Strategic Field Engagement of Mimecast, Mounil Patel.
On top of this, old solutions (such as IP blocking) have become increasingly less effective, as the web and environments where attacks occur evolve (such as a proliferation of SSL encrypted web traffic).
Another major threat has been that leaders are putting too much faith in one-sided approaches, instead of investing in a holistic, wide-ranging security program.
“People just want to buy a product and be done. But security isn’t a product – it’s a journey. It’s not easy,” explained Brown.
The same goes for off-loading responsibility to third-party service and cloud providers. While it can certainly play a valuable role, sometimes an IT department takes it too far and ignores their own crucial responsibility in protecting their data.
Part 2: Solutions for Modern IT Security
Speaking of responsibility, knowing exactly what part of security your team owns, and just how much of it to out-source is a fundamental concept in ensuring your business is not left open to attack. The IT leaders had this, and several other best practices in mind, when discussing how to deal with the mess described above.
Be cautious with cloud:
When you take your infrastructure to the cloud, you are eliminating a majority of the maintenance, monitoring and admin tasks. But you still have a role to play. Mounil cautioned that businesses who go to the cloud need to treat the process with the same care and attention as they would if they were building their own on-site infrastructure. For example, your cloud provider might be responsible for preventing breaches on their end – however, your data is still exposed at the entry and exit points, and your end-user devices.
CISO in a box:
Limited pools of resources and an overload of repetitive work have led many organizations to adopt what Myrtos called a “CISO in a box,” where, similar to cloud infrastructure, you off-load the bulk of your security actions to a third-party provider. As a result, businesses can cut costs, deliver security at greater speed and not worry about trying to hire hard-to-find, scarce resources.
Similarly, Myrtos says that another popular approach is to maintain your own resources, but to go to outside experts to vet, and help craft, an overall security strategy. “They are looking outside their own four walls for guidance,” said Myrtos. “In the past, they thought they could handle it on their own, but now they realize they can’t.”
Outsource the slog:
Poulin says it’s also useful to focus your energy on high-level, strategic questions, and find external parties to take over the repetitive, janitorial work. The primary benefit here, he says, is it gives you more bang for your buck with internal resources. “If you are using your own people to slog through millions of lines of log files, then you are not being effective,” he said.
While the threat of hyper-targeted attacks is real, and really scary, most breaches are caused by less focused, random “drive-by’s.” As such, IT leaders should be hyper vigilant on ensuring they have good information security hygiene to deflect these random assaults. In fact, eight in 10 attacks can be prevented simply by practicing “good hygiene,” explained Brown. His statement is backed up by numerous information professionals, and a study by the NAO.
Building a culture of safety:
The reality is, the threat that faces us tomorrow is not known to us today. Therefore, there is only so much you can do to protect specific threats in specific ways. What is needed instead, said many of the leaders, is to build a “culture of security,” so that your people will be prepared for anything that comes their way.
“Training is critical,” says Mounil, “If people are sensitive to attacks, they tend to be much better prepared for things we haven’t even thought of yet.”
Part 3: 5 Ways to Build a Culture of IT Security
While building a “culture of safety” sounds natural, it’s excruciatingly difficult. After all, it all comes down to people. And people aren’t the most trustworthy bunch when it comes to keeping data safe, as we have seen countless times in these IEF forums.
IT leaders are taking this challenge seriously. “I am seeing a lot of change. Organizations aren’t just paying lip service anymore around (getting people to adopt) security policies,” said Poulin.
Still, many IT leaders still remain unsure of how to actually start building a more effective culture of security. There was plenty of good advice shared on the call. Here are a few key strategies for training and building more security-minded employees.
Seamless and easy tools:
Answering an IEF member’s question about multi-factor authentication, our experts told him that the best approach was a seamless, user-friendly one. This means enabling smartphone-based solutions, versus old fobs, as well as only putting multi-factor authentication in their way when absolutely necessary.
But the same can be said for almost any technology designed to make your information safer. The easier it is for employees to use correctly, the more adoption you will have. User-centricity is key in all successful security programs.
We need to leverage the C-suite to ensure correct procedures and caution is taken by your workforce. This is often a great way to ensure the practical lessons learned in training are taken to heart.
One story was shared to really illustrate this point. The IT department would test employees at random with a fake phishing email. If they failed, then the culprit would receive a voicemail from the Chairman – a heated message explaining how risky the behavior is and how much risk it gives the entire business.
Another approach is to use gamification and leverage our natural competitive nature to support adoption of security protocols.
One organization sends out random quiz emails, weeks after a training is complete. Those who answer the questions the fastest are put on a leaderboard for all to see. How can you “gamify” components of your training to give employees a reason to remember the information?
If we took one thing away from our security council, it’s that there is no one thing you can do to be secure.
IT leaders and business executives alike need to stop thinking of security as a single, magic box. “It is not a product.” Instead, treat security like an organic, flexible, and far-reaching program.
This program will be confronted with numerous challenges; from evolving attacks to confusion and a lack of clear priorities. To combat these issues, IT leaders have an effective arsenal to choose from. But as we saw, people often pose the greatest risk to information security. And while you can do much to better train, and improve adoption, it will never be perfect.
This is the state of affairs for information security in 2016. The myth of “perfect security” has disappeared. It’s replacement: smart leadership, who understands the business, and leverages user-centric tools, as well as cloud and third party providers, to get more done, more intelligently and with more speed.
Good luck out there!
Download the full report here.