Last week I offered up 10 (±1) questions to ask your security vendors. Today let’s talk about what you should be asking yourself...to stop doing.
Quit investing in security technology over security people.
Every time we get together at one or another conference we hear it again: “security comes from people, process and technology.” There’s a reason—beyond an alphabetizing coincidence—that technology comes last; people and process are the sine qua non of your security program. So make sure your people have the training and support they need to become (and remain) Advanced Persistent Defenders.
Quit leaving security to “just happen.”
I’ve visited a lot of companies, and I’ve met a lot of smart security folks. They’re passionate about security and about protecting their networks. They almost all intuitively know the right things to do, and the right times and reasons to say “no” to one thing or another. Yet they’re often left to do their work in isolation, without the support (or knowledge) of their executives. Sound familiar? Then a crisis hits and this disconnect becomes a big part of your overall risk. Get ahead of it. Learn from your security practitioners and what they’re doing—or wish they were doing—that isn’t necessarily in their job descriptions or policy directives, and then absorb that knowledge into sensible policies that work for the C-suites and the cube farm alike.
Quit selecting vendors without taking independent testing into account.
Where I work we’re all pretty excited about third party independent testing lately. While it’s true that not all of the very latest whiz-bang tech can be put in a well-defined category and subjected to apples-to-apples comparison, third party analysts and testers are almost certainly thinking harder about these new technologies than you are, and they’re equipped with more data than you have time to accumulate, process and understand. Even if your inclination is to take their findings with a grain of salt, find out what they have to say about the companies and products you’re thinking about investing in.
Quit adding security "after."
It's 2014. And we’re still designing products, applications, data centers, companies and all kinds of other stuff without weaving security into their very fabric. The only way to do more good than harm, and to maximize security ROI in the bargain, is to start with security in mind. As a vague vision for an “Internet of things” begins to take shape before our eyes, security becomes less abstract and more about personal (i.e., bodily) safety. Are you part of the solution or part of the problem? If you’re not sure, at least be part of the discussion.
Quit letting Aunt Susie fend for herself.
Remember Aunt Susie? She’s the one we’re actually trying to protect. She’s the family member who doesn’t happen to be part of the information security community. She works in the front office. She manages finances. She invents stuff. She sees to the actual business of your business. She doesn’t want to be inconvenienced by seemingly pointless security measures, but she also doesn’t want her department to lose a week of productivity due to a breach, and she definitely doesn’t want her bank accounts hijacked by a shadowy mobster somewhere.
To normal human beings, all this hacker/breach/APT/malware stuff is at best an unwelcome distraction, but under the surface it makes the world of technology, computers and the Internet seem less friendly and accessible than it needs to be. So let’s be sure we remember whom we’re fighting for when we make security policy or technology decisions.
What bad habits are you trying to quit in your organization? Let’s discuss it in the comments.