Almost every company I’ve worked for so far has had an overwhelming focus on technology when it comes to information security. A recent discussion on this subject had me thinking – and I did learn some things.
I’ve seen many board papers which, in their “security improvement plan” simply list a host of security toys and their delivery dates. I can understand how executives and senior leadership teams will see this as an improvement in maturity. “We’re listening to our cyber experts and spending pennies improving our technology and therefore becoming more resistant to a breach”. Unfortunately most of us know this couldn’t be further from the truth. A balanced focus on process, people AND technology is the key. Sometimes I see these plans mention people and I get a little excited, until I see it reads “we will expand our cyber team by 20%”, and then I get a little angry. I bet every organisation could fire half of their current security teams and be more mature as a result. Why? Because if they forgot about all the noise, what’s left of their team would be forced to focus on the priorities, the basics. And we all know the basics are the most important.
And don’t get me started on budget. I was once asked in an interview for a security position, “Imagine you had an unlimited budget, what technology would you purchase?”. I held in the frustration and told them it depends entirely on the organisation, their current security posture, the gaps and the security strategy. It isn’t about a shopping list of my favourite toys and vendors I’ve used before because they once expensed a night on the town.
I feel this is one of the issues with the security industry. CISO’s and management are too egocentric. They want to list “managed £100m security budget” and “led 100 strong security team” team on their CV because the next company comes along and thinks they are capable of the role based on this.
Going back to the tech, though. What a lot of people in the security industry don’t seem to understand is that technology is a facilitator, an enabler. Without the right people and processes, the tech is arguably useless. You can have the best of breed technology the cyber world has to offer, but if you don’t configure it right, continually tune it and maintain it, it’s probably not helping you much. Let’s say you buy the best firewall out there. You slap it on your perimeter with a big grin on your face, but you leave the default rule-set enabled and at the end you have a lovely Any:Any enabled. The execs think they have done the right thing in opening the org’s wallet.
Digging deeper. Privilege access management (PAM) is a control that every organisation has in some way. Every organisation has high privileged accounts, whether it is domain admin in a Windows environment or the Linux and (name your) cloud based alternatives. Yes, you can buy a tool which will record and control access to privileged accounts. But, if you don’t have a process to set up all of those lost, forgotten or overused service accounts into said PAM tool, or, if you don’t invest the time and resource to train your cyber team on how to use the tool to derive the benefits initially stated, you’ve accomplished hardly anything. Taking this a step further, let’s say you DO put all of your domain privileged access in the tool and tune it. If you don’t do anything about the fact you have the same local admin password on every workstation, well you’ve still achieved little. Because we know that malicious actors will almost always take the path of least resistance, the path of least cost.
Instead of a cyber improvement plan looking like this:
- January: *Some fancy privileged access management tool goes here*
- February: *Some fancy network segregation toy goes here*
- March: *Some fancy next-gen firewall tech goes here*
- April: * You get the bloody picture*
It should look more like this:
- January: Privileged access management control maturity improved by 0.5 – local admin workstation accounts have strong, unique passwords.
- February: Network segregation control maturity improved by 1 – IT segregated from the rest of the network using hardened jump boxes.
- March: Network security control maturity improved by 0.5 – weak and insecure protocols removed. IT no longer to allowed to access porn sites.
Or, if you have good reasons for investing in new technology:
January: Some fancy tool purchased. X weeks required for our employees to be trained on the tool. X weeks required to properly configure the tool. X months required to tune it in line with our environment and meet the initial requirements. X days required for testing of control effectiveness. Control maturity increased by 1. Ongoing tuning and improvement required to maintain control maturity.
All of that said, understanding the current and evolving technology market is also important to mapping your organisation’s security direction. If you don’t know how your organisation’s key vendors are doing financially and where they are spending their cash, lets just say you don’t want to be in a five year contract with a vendor who is moving towards IoT instead of security…
To summarise politely, stop pretending technology alone is the answer, it very rarely is. Instead, focus on the balance between people, process and technology and prioritise accordingly.
In many ways our industry is still rather new and is of course ever evolving. Just because everyone else is doing something doesn’t mean it is correct. OK track your peers and check in with them to share info and see what their focus is, but ultimately they have been or will get breached. And when you get breached, which you will, you don’t want to tell the regulator “we did what our peers were doing” instead of focusing on your own weaknesses, your own journey.
Ultimately, each organisation is at a different stage of whatever journey they are on, they have different challenges, different weaknesses and different strengths. Security is about doing the right things, at the right time, in the right order. Those things will vary widely depending on your organisation. But that’s the key, focus on your organisation.
Over and out
Ash
"But we've always secured it this way" 