- 03 Dec
6 Myths about IT Security, Busted!
According to The Global State of Information Security Survey 2016, in 2015, 38% more security incidents were detected than in 2014. Security breaches are surely shaking the foundation of businesses. It leads to FUD (Fear, Uncertainty and Doubt) syndrome.
The more recent breaches at TalkTalk, CIA Director Brennan’s AOL account hack, Dow Jones, T-Mobile, Scottrade, Trump Hotels, OPM and Ashley Madison just point to the glaring gaps and challenges in the Security world. I find the very recent breach at TalkTalk (one of the U.K.’s largest Internet service providers) interesting and significant mainly because of the statement coming from the CEO of TalkTalk. When asked whether the customer data was kept encrypted, CEO said “I don’t know”. While TalkTalk had this 3rd breach in 2015 and should have done more due diligence and taken actions to avoid such breaches, the honesty of the CEO is indeed admirable but also shows the state of today’s Security. I have seen for big corporations, the impact of most of the breaches getting downplayed and a facade is put up to pretend to exhibit a complete understanding of the breach that has happened and its impact and the security controls presence. The fact remains that most of these corporations had no clue of the data loss understanding of the impact of the breach and didn’t even have an approach to handle the after-breach scenario.
Let me highlight the popular myths that are currently operational and embedded when it comes to Security:
Myth: Our CISO is our Iron Man who will save us from all security problems
Our Iron Man is our only hope to save the world and he or she does not disappoint. Well, that surely doesn’t happen in a real life. In real life, CISOs (Chief Information Security Officers) are looked at as the Iron Man to save us from all security problems and CISO’s remain Ironmen, until their not at which point they become the Scapegoat.
Sorry to be a bit melodramatic but my heart goes out to those CISO’s who are in one of the most challenging jobs in the world today. Recently I read about a study that points out that “almost half of C-level executives (47%) still view the CISO’s role primarily as a scapegoat who “should be held accountable for any organizational data breaches”.
These findings arise from the fallacy that only CISOs are responsible for Security. Success in Security demands a collective effort. Any security program execution needs to tie strongly to the business objectives processes business unit owners and others in the ecosystem need to be involved so as to ensure the success of the security programs.
I see the role of the CISO as the binding force to get various stakeholders working towards a single goal of ensuring that security is addressed for all of the five principle entities – People, Machines, Networks, Applications and Data repository. The success of CISO’s depends on how strongly a security culture is pushed from the top and how involved and committed the various stakeholders are towards the success of the security programs applied to the various business units. The real Iron Man defenses are the members of your organization itself and his armor is your collective minds!
Myth: Buying Security products (perhaps the most popular ones) will solve my security challenges
You have seen this myth envisioned and practiced in full force. One of the popular ways of selecting a security product is to have a look at the leading solutions defined in each category from various research reports. Once the best known security products are deployed, a sense of satisfaction follows.
While there is nothing wrong at looking at reports to identify the leading security products in a given space, you should not get carried away. Security products have their own set of pros and cons and you need to perform your due diligence to ensure that the final selected solutions, fit to your business requirements, processes and long term strategy. With technology advancements happening at a breath-taking pace, your security solutions should be able to address your immediate and future requirements. Put a process in place for the evaluation and selection of security solutions.
One of the biggest mistakes I have seen is to put new security solutions straight into use without ensuring that they align with business requirements and processes. You need solution to your problems, not a solution that becomes a problem. Customize the security solutions around your selected needs so that you achieve your business objectives. Studies have shown that a majority of Identity and Access Management (IAM) programs don’t achieve their objectives. One of the major reasons for this is the failure of the organization to first identify and document their business processes fully and have their IAM solution match those. IAM solutions alone will not help you to achieve your business objectives. You need to fine tune the security solutions as per your needs.
Myth: I am compliant and hence I am secure
Points to remember for Compliance:
There is no doubt that Compliance is the biggest driver of IT security world-wide. Organizations spend huge amount of money annually to ensure that they are compliant with the industry and government compliance mandate. I have seen organizations proudly talking about being compliant to certain standards and deriving a conclusion that they are secure.
Compliance is not equal to Security. Compliance, in general defines the best practices and security controls that will help to improve your security posture and state the security required for that specific compliance. Most standards are not prescriptive in nature and it is ultimately on you to assess your business requirements, processes and strategy to layout your security roadmap and select and implement security controls that can help you achieve them. Treat Compliance as one of your enablers to provide a structure and best practices to protect your ecosystem but not the conclusive means.
Myth: Security is an IT project
There are two fundamental issues which arise when security is looked as an IT project.
Hence, ensure that the Security programs cut across the entire organization to ensure that they achieve the business objectives.
Myth: I have secured myself as I have bought Cyber insurance
The insurance industry runs on one single word “IF”. Cyber insurance has caught immense attention from organizations worldwide as breaches become the norm. It is no longer a matter of if a breach will happen but a question of when it will happen (if not already). Organizations buying cyber insurance feel lot more assured.
Let’s address the fundamental question of how an organization assesses how much cyber insurance it needs. A few methodologies have been developed to measure the cost of a breach by identifying the critical systems, operations and how much a business will be affected if those systems and operations were to shut down or data compromise happens. These estimates do not seem to consider critical parameters such as the effect of the breach on the company’s brand. It’s very difficult to quantify these parameters without the breach actually taking place. Such estimates may also give a false sense of security to any organization.
Getting cyber insurance should be just one part of your risk management strategy. This should not in any manner change the way you perform due diligence and drive your security programs.
Myth: I am flying on Cloud these days and security is cloud providers responsibility
With the growing acceptance of the Cloud technology, many organizations are leveraging the Cloud for their business initiatives. One of the fundamental questions that I see organizations grappling with is how much they are responsible for the Cloud. In fact, many organizations love to believe that cloud security is completely the cloud provider’s responsibility.
To make your life simpler please remember this “Whatever you put on the cloud is your responsibility”. Map it to all the Cloud deployment models and you will have clarity on what you need to take care of. Cloud security is a shared responsibility. Cloud providers such as AWS, Azure, etc. have provided various security controls from the perspective of Identity and Access Management, data encryption, application security, etc. It’s on you to assess the effectiveness of these security controls and tailor these to your unique requirements. You should ensure that you effectively configure and implement the security controls provided by the Cloud providers. You should also ensure that you implement the extra security controls that will help you meet your business and compliance requirements. Remember, it’s your business and hence it’s your responsibility to make the cloud security effective as per your requirements and remember the cloud is just the use of someone else’s computer located off site!
In the next post, I would like to give a few recommendations for CXO’s to help them shape up and design practical and effective security strategies and execution plans.
About the Author:
Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.
Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.