The Great Security Race
Why is a comparison to other, similar organizations so sought after? Is it comforting? All too often this information is used in an effort to validate that there's no 'need' to do more. Organizations seem to be too content with being in the middle of the pack. Benchmarking information should be leveraged as motivation, or in certain cases as ammunition, to improve an organization's security program.
This reminds me of the old saying, "you don’t have to be faster than the bear, you just need to be faster than the other guy." The bear in this case is the attacker. If your attacker is a state sponsored, sophisticated, and determined attacker, few companies can outrun that bear. But, can you make the bear go elsewhere?
Being faster than the other guy won’t always prevent attacks. If you are a well-known company or store or process data that is interesting enough, the attacker may not go elsewhere just because you have thrown up some roadblocks. They’ll likely keep trying. But for many companies, being faster than the other guy helps.
Key Factors to Consider
Unfortunately there's no magic button. The best way for organizations to protect themselves is to have a comprehensive and proactive security program with preventative controls, extensive awareness training for all staff, detective controls to catch and address anything that slips through the gaps, mature processes to correct any identified failures, and frequent security assessments and penetration testing to continuously validate the effectiveness of the program. Doing these basics well will set you a step above most organizations because most companies struggle to get the basics right. Why is that? The short answer is that the basics are simple, but far from easy. Key factors to consider include:
Not having a strategy for Information Security. You must know what you’re trying to accomplish, know the assets you are trying to protect, and understand the threats landscape.
Lack of organizational support from the appropriate level of management. Good security can’t be achieved if the business constantly overriders the Security Department. That is not to say that Security should override the business either. Risk Management practices should be in place to make good business decisions that consider the security impact.
Most security groups are under-resourced and often are composed of staff who have not been specializing in security for more than a few years.
Having rapidly changing IT, often due to growth through acquisition. This also often results in legacy systems beyond support agreements and patch availability.
Lack of reporting on security including quantitative metrics. Don’t tell me how we’re doing on security - show me. I would include independent testing here as well.
Actions to Take
Maintaining a secure environment is hard work. There are lots of moving parts and lots of things that need to go right. Most companies struggle trying to get it right. So - what to do?
Create a Strategic Plan for Security. I don’t know how you can do security well without a plan. The plan does not have to be complex. If you don’t have the expertise to put an Information Security Strategic Plan together, obtain the services of somebody who does. The basis of the plan should be a Risk / Threat Assessment. The plan should roughly align with the security framework that aligns best with your business. NIST, ISO, CSC, CMMC would all address the security basics.
Create a Governance Structure for Information Security. The governance structure should define roles and responsibilities for security, and ensure proper resourcing, support, and oversight of the security function.
Ensure appropriate training for security professionals. Security professionals must stay current. Training does not always have to be expensive. There are many resources out there. It’s important to hire self-starters motivated to learn all they can about security.
Staff appropriately. There will always be a conflict in staffing for security unless you are in the security business. Staffing levels also seem to ramp up after a breach (closing the barn door after the horse has left). External resources can sometimes be more cost effective than FTEs. If you are an SMB you may be able to outsource your security operations center (SOC) to a managed provider and get 24 x 7 coverage for far less than the cost of the FTEs it would take to staff three shifts of a SOC team.
Create reporting metrics, key performance indicators, and key risk indicators and make them as quantifiable as possible.
Have independent testing performed on your security controls. Many companies make the mistake of testing less often after a subpar pen test. More frequent testing should be done until your pen test goes well. Of course you must also address the underlying cause of the poor pen test results or you’ll just get more of the same (see bullet points 1-5 for more information).