By Dave Maasland and Fred Streefland
Recently we’ve had the opportunity – quite a fun and interesting opportunity – to visit a number of information security and cybersecurity conferences. These conferences were flooded with relatively ‘new’ developments such as NextGen, the Internet of Things (IoT), IoT DDoS attacks, security intelligence platform, etc. The fact that some of these terms have become ‘hype’ is not in itself a problem, but we did begin to wonder whether the security world may be looking at things in the wrong way and thereby missing the demands that need to be addressed.
This article explores a new perspective on cybersecurity that views it as a goal in itself, rather than something that is directly connected to business needs. As it stands now, it seems that too many security organizations are missing the mark.
Lesson 1: Start with the business (and its risks)
Security in practice can be exceptionally complex, but its essence is quite simple. Security is nothing more than reducing or taking away risks, and making them visible so that the business can accept them and continue doing its work – nothing more, nothing less. To do this as effectively and efficiently as possible, we, as security people, have to understand the business and not see it solely from an IT perspective but from the broader perspective of the business itself.
“EXPERIENCE SHOWS THAT MOST HACKS (ABOUT 90%) ARE STILL USING SIMPLE METHODS AND WEAKNESSES: PHISHING EMAILS, MALWARE ATTACHMENTS.”
When starting from the business, we first have to identify, map, and categorize the risks of the specific business. Second, we have to determine, together with the business itself, which risks need to be dealt with and in which order.
When that’s done, the person responsible for the security within the company has to set up a security plan that describes how these changes are to be executed. In doing so, there have to be clear goals and deadlines. Ideally, this should be done in a ‘smart’ way, one step at a time, so as not to engage in too many projects at once.
Lesson 2: Determine a security roadmap with a clear goal, step by step
Defining your security approach (or security roadmap) is essential and should be discussed with your business on an ongoing basis to make adjustments where and when necessary. During the creation and execution of the roadmap, the projects that are defined will all contribute to the reduction of risks and the achievement of the end goal.
It’s important to not lose sight of the business goals, because the people responsible for security shouldn’t ‘restrict or obstruct’ the business with security measures. It’s not rocket science, and shouldn’t be treated like it is. The creation of a plan should be something that everyone, even without IT skills, can understand. Of course, IT plays a role, but only at the last moment when IT solutions are needed for the execution of the security projects.
Lesson 3: Cover the basics before implementing more advanced security solutions
Looking back at the conferences we attended, we noticed that most organizations don’t even have basic security measures in place, let alone advanced security solutions. Security company presentations on these technologies often look stunning and offer interesting content, but they are simply too advanced for most companies. Furthermore, experience shows that the most hacks (about 90%) are still using the simplest methods and weaknesses: phishing emails, malware attachments, etc. And, of course, there is the weakest link of all: the human being.
Companies need to create basic security solutions for these simple risks first before they turn their attention to more advanced technologies. Of course, these are important as well and they should be implemented in the future, but only after the basics are fortified. Often during security conferences there is a focus on sophisticated threats and APTs (advanced persistent threats), but companies such as TalkTalk and Ashley Madison might have been protected from attack if even basic security was in place.
Lesson 4: Build the right partnerships – cooperation between IT Security professionals is essential
New developments arise quickly and malicious groups and individuals are using more varied and advanced attacks and tactics. Eventually, more advanced security solutions will become inseparable from our organizations’ broader security roadmaps. However, the foundation has to be in place before the ‘house’ can be built. And to build this house, cooperation is needed between the architect, the realtor, the mason, the plasterer and of course the homeowner.
This sense of building something together is exactly what needs to happen in the security world. We have to cooperate intensively because, much like building a house, there is no single owner or architect who is also the best in masonry, painting, or construction.
No single security company has the best solution for each and every security risk, so working together is a must. Those who would cause your company harm are already doing this, so it’s time security professionals do the same. We need to start with the owner (the business) and the foundation (the roadmap), and then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
“THIS SENSE OF BUILDING SOMETHING TOGETHER IS EXACTLY WHAT NEEDS TO HAPPEN IN THE SECURITY WORLD. WE HAVE TO COOPERATE INTENSIVELY.”
Lesson 5: Get everyone involved – it’s the only road to success
To make progress between security and the business, there has to be understanding and support from the business – and vice versa. The one(s) responsible for security has to be able to provide short and clear explanations in order to get all of the different stakeholders in the company to participate. If he or she can’t, then the business (and the board) will never understand, and there won’t be the necessary buy-in and support to implement your plans (no matter how good they may be). As Einstein once said: “If you can’t explain it simply, you don’t understand it well enough!”
(Dave Maasland is CEO of ESET Netherlands while Fred Streefland is an IT Security Manager at LeaseWeb. Reproduced from WeLiveSecurity).