To say last year was an interesting year in enterprise information security would be an understatement. Hardly an industry went unscathed from making breach headlines. And it wasn’t just a few outlier attacks, either. According to the Privacy Rights Clearinghouse there were nearly 68 million records breached in 2014.
And, as has been the case for the past handful of years, the shortcomings in enterprises are often the same: there’s too much focus on securing the perimeter. There’s not enough focus on the basics, and organizations often fail to appreciate the risks they are taking or the threats stacked against them.
That’s a pretty grim view to take, I know. But the flipside is that by making some very straightforward changes to focus on the basics, a great amount of improvement can be accomplished. And, in addition to the basics, there are a number of security resolutions, if enterprises can resolve to stick to them, which will help to improve their security and risk posture.
Begin Threat Modeling
Ask most executives if they know what types of attackers may target their data and IT systems and they don’t know. They don’t often have any more than a vague notion of hackers, or malicious actors wanting to steal intellectual property or financial account information. The way to help obtain a better understanding of the risks enterprise IT systems and data face is to threat model, which is the process of identifying potential adversaries, and what assets they may target and why. Next is to mitigate any weaknesses that make those attacks possible, and to provide defenses that will raise the effort and cost of attacks.
This requires understanding where data that would be of value to attackers resides, or systems and data that if destroyed or disrupted would significantly affect operations. And depending on the nature of the bad actors who might target your organization, where would they hit and how would they target your systems? And, should a successful breach occur, how ready is your organization to respond?
Enterprises that want to significantly reduce their risk will resolve to threat model in 2015 – and they’ll keep their models up to date.
Cultivate Information Security Talent
In the past year, more often that not, in my conversations with CISOs and CIOs would turn to the difficulty in finding security talent. When I asked last year, I don’t think I single CIO or CISO I spoke with didn’t say that they had challenges finding the security talent that they need. Don’t expect this challenge to let up any time soon.
We currently aren’t training enough information security professionals, and with the so-called Internet of Things the interconnecting of apps and devices on new platforms are just getting started. And enterprises are still expanding and outside of North America and Europe there remains considerable growth to go. All this means more potential points of attack. And that means more systems being built that will require some security expertise – if they are to be designed to be resilient.
A few years ago it was widely discussed that demand for security professionals would decrease because of the “simplicity” provided by cloud computing and virtualization. We see now that was a fanciful hope. These systems are, in many ways, increasingly complexity when it comes to securing enterprise data from attack.
With the expectation that demand for information security professionals is going to remain high, enterprises would be well served to resolve to find, keep, and internally cultivate cyber-security talent they need.
Begin employing security metrics
It’s commonly said that it’s impossible to manage what you can’t measure. Security metrics, which are, loosely, measuring changes in security posture or performance indicators (time to patch, anti-malware surface, quality of custom code, etc.) provide a rapid and comprehensible way gather and convey information about enterprise security risk that can be meaningful to IT experts and business stakeholders alike.
Without measuring and tracking security metrics, there’s really no other way to understand anything close to a realistic view of the risk the enterprise faces and how well that risk is being managed.
Knowing that security metrics can help to better understand risk, and make more intelligent security investment and spending decisions, organizations that don’t already do so need to resolve to mature their security program through security metrics.
Improve Relations with IT, the business, and Information Security
Another persistent challenge that CISOs and security managers are constantly lamenting about is how poorly security and business strategies are aligned. With the speed of technological change, the continuous evolution of the lethality of threats, and the rate of agile development and app deployments today means it’s more important than ever that security goals are aligned with business strategy. This requires the CISO’s mindset to shift from being only of defender to that of an enabler that provides secure and sustainable options to the business so it can meet those objectives.
Improve incident detection and response
If we have learned anything in the past year, it’s that current level of defenses simply won’t stop all attacks. This is true no matter how competent the security team. 68 million records breached in 2014 from hundreds of North American businesses.
With outcomes like that, despise the heavy investments enterprises have made into their information security programs, it’s imperative enterprises learn to respond more quickly to successfully breaches as they’re underway.
This is why enterprises that want to improve their security posture will resolve this year,
So while it’s true that enterprises have invested heavily to building digital barriers between themselves and potential attackers – and not enough on what to do about those few that get through. In the year ahead, if there is one area your enterprise wants to focus it’s to transform your security posture that understands that there will be successful breaches, and have the resources in place to respond in a way that minimizes the attack as much as possible.