When people talk about security and risk, we often see people making decisions based on their gut-feeling instead of looking at the issue and trying to understand the why behind what is going on. This is often compared to the idea that vending machines kill more people then sharks, yet there is not a Snack Machine Week on Discovery Channel. While this factoid makes sense when you hear it, especially if you look at the numbers, it misses the idea of actually understanding the basis of the statistic. I think a fun article about this looking at the basis is on the Freakonomics.com blog. But let’s focus on the problems that Secure Ideas and other security consultants find in organizations, and try to come up with ways to fix them.
The first issue that we often see is that many organizations do not truly understanding security. We find that many people are focusing on the shark, even though they are a land-bound organization. Organizations will panic about the latest news about Heartbleed or APT, while ignoring the fact that their users are clicking whatever link arrives in email. It’s this distraction that attackers love. While you are moving your efforts to prevent that nation-state from compromising your coffee shop, the real threats you face are wandering around your network freely.
The easiest and hardest (at the same time) way to fix this is to learn more. Now this doesn’t mean that every CIO should take a web penetration testing course (even though we would love to see you at ours). But the IT operators and developers could learn more, and CIO’s should watch their presentations about security. Another successful tactic is to have security staff provide regular news bites or topics around security issues that affect the organization.
The second main issue that we find with organizations is focusing on compliance instead of security. This is a common mistake because people often confuse the two. Compliant means you met some checklist; secure means you are protected against attacks (at least to the best of your ability to be secure.) We are not saying that compliance is not important, but if you work on being secure, compliance will often be the secondary result. As a matter of fact, if you look at what PCI is doing with the PCI-DSS 3.0, a major change they are pushing is to make security business as usual. So instead of just worrying about it right before the QSA comes in, organizations will make it part of their workflow.
This brings us to the third problem we see — silo-ization of security. How many organizations have security teams that treat security as something that they alone can do? How many policies prevent IT or developers from testing their own security? This idea of a silo prevents most of the easy wins we should be able to accomplish as security becomes part of the entire organization. We can work with all parts of a company to take part in security. From having IT to scanning and testing and empowering a customer service rep to recognize a social engineering attack, this can only improve our security.
The final mistake we see is the vendor extravaganza that is common in organizations. You can’t buy your way into being secure. Contrary to that salesperson, there is no silver bullet and in many cases, this complex mix of solutions open other security holes that did not exist before. Organizations need to focus on educating and training their people.
We aren’t saying vendors can’t help, but businesses need to focus on working with vendors that improve upon current resources or build skills within the organization.
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.