Most organizations today don’t really know how much their information is worth, which tends to make securing data across an enterprise an exercise in futility for many IT security professionals.
Greg Touhill, a retired brigadier general and former CISO for US Government who is now president of Cyxtera Federal Group, an IT security consulting firm, says that conundrum results in organizations spending $100 to protect information that is only worth a dollar, while simultaneously not spending enough money to protect critical intellectual property.
Speaking at an Insecurity conference this week hosted by Dark Reading, Touhill says that too many organizations still think of IT security as a technology problem rather than an exercise in risk management. Information is clearly one of the most valuable assets an organization possesses. But most organizations are not entirely sure who has access to that information; let alone what it might be worth, says Touhill.
Touhill says that when it comes to IT security there are five fundamental concepts that IT security professionals need to make sure their organization master:
- 1) Risk Management: No organization has an unlimited security budget. It’s not possible to defend every piece of data equally. Business leaders need to identify what data is most critical to defend. IT security professionals need to be able to convey what those risks are in a language business people can understand.
- 2) Procurement: Security issues need to be addressed as part of the procurement process. Too many organizations are still running obsolete equipment that is impossible to proactively secure. Products and services consumed by organizations or created by the internal IT team need to be secure by design.
- 3) Harden the Workforce: Most security breaches occur because of human error. Money spent on training the workforce how to recognize security threats always results in a higher return than investments in security technologies. Regular spearphishing drills should be required for all employees. Reliance on usernames and passwords is a recipe for trouble.
- 4) Implement a Zero Trust Model: Once a system is breached it’s far too easy for them to compromise other systems by moving laterally across the network. A Zero Trust Model makes uses of microsegmentation to contain a breach.
- 5) Don’t Chase Fads: Chances are that shiny new technology somebody is dying to implement is not all that secure. IT organizations need to exercise patience while waiting for new technologies to mature.
Touhill says most hackers are going to seek out the path of least resistance. Cybercriminals are not going to take the time and effort required to launch a zero-day attack when a scan shows that some piece of software has been unpatched, or end users are willing to download malware hidden in an email or infected web site. Independent audits, penetration testing and bounty programs for discovering bugs in software should all be part of the strategy to strengthen security, adds Touhill.There will always come a day when the bad guys get past one defense or another.Click To Tweet
But as good as any IT security team might be, Touhill cautions IT security teams will inevitably have a very bad day. Touhill says given that current state of IT security and the number of bad actors in the world, IT security teams need to be resilient enough to bounce back after taking a punch. Touhill says IT security is ultimately about people, processes, and technology. By focusing on those areas in concert with one another Touhill says organizations have a significant opportunity to buy down their risk. But there will never be anything such as perfect security. There will always come a day when the bad guys are going to get past one defense or another. The best any IT security team can really do is minimize the damage any cybersecurity punch might have by limiting where it can land wherever and whenever possible.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.