+
EDITOR’S QUESTION
/////////////////
MOREY HABER,
VP TECHNOLOGY,
BEYONDTRUST
W
e are all aware of the threats, we hear about them in
the news almost every day, and too many experts have
advice on how to secure our mobile devices, credit
cards, social media accounts and IoT. We have even created novel
words to describe these threats, like skimming and cyber bulling. As
citizens, we have become numb to their meaning and the associated
security recommendations, unless of course we become a victim to
the attacks ourselves. As such, I do believe that we have become
complacent. Not only in our personal lives but also in business.
“
Instead of executives becoming even more strategic, security
professionals becoming more acute and
users becoming more self-aware; we find
ourselves accepting the daily barrage of
security information as common place. The
truth is that we have a problem to overcome.
We have become desensitised to the facts
and it is one of the biggest threats to
enterprise security.
If you live in an old house, ask yourself a very
simple question. How many layers of paint
are on the walls? How many times has the
bedroom or kitchen been redone? Instead
of a demolition, we often layer solutions
(paint for example) to create a new look. We
seldom fix the rotten wood and replace bricks
and mortar, until absolutely needed. Our
approach to cybersecurity is very similar.
WE HAVE BECOME
DESENSITISED TO
THE FACTS AND
IT IS ONE OF THE
BIGGEST THREATS
TO ENTERPRISE
SECURITY.
Security teams are bored with patching operating systems,
applications, infrastructure, and websites. How many times can
you ask a team to patch a Windows Server 2008 R2 before the
task becomes mundane, boring, repetitive, and the owners become
complacent? Unfortunately, it happens all the time. Operations and
security professionals need to have their minds exercised. So how do
we change our mindset?
• Create challenges for team members. Healthy competition
on who can patch all of their systems first or deploy a new
technology better stirs the spirit. Team members have bragging
rights and a goal.
www.intelligentcio.com
• Focus on investigation and research. Referring to my house
analogy, rather than asking teams to pick a new colour of paint,
challenge them with finding a better way to fix the wall. Ask them
to research a problem and provide
recommendations to solve a problem. We
need to stop believing that our current
approaches to security are good enough.
• Include metrics and stress
accountability. One of the nastiest
pitfalls of complacency is that no one
is accountable for a situation. If a
problem exists that is not remediated or
mitigated in a timely fashion (typically
a Service Level Agreement), there needs
to be consequences. If teams slack off
and risk your security, someone must be
held accountable.
• Educate and notify. The threats are
all around us and happening every
day. It is a natural human trait to
slack off occasionally. That alone should not stop teams from
being trained and from having threats be communicated to all
stakeholders. There is a risk if you ignore telling employees not
to click on a link or open an email that says “I have a package
for you in the mail room.”
• Do the basics well. The only time you need to replace plumbing,
or a wall is when the infrastructure has failed. If you do the basics
– vulnerability assessments, patch management and privilege
access delegation – well, you will find flaws in your foundation
quicker, and maintain them better so a problem does not require
you to tear everything down. n
INTELLIGENTCIO
37