Advertisment

5 security maxims for IT leaders and key actions

author-image
Sharath Kumar
New Update

BANGALORE, INDIA:Hoop-la around security has been around for long. Frameworks and strategies that claim to make the security posture of organizations better have been evolving over time.

Advertisment

Here are 5 security maxims that InfoSec leaders, chief security officers and security professionals should know and consider while making security decisions in their organizations. Also, key actionable for each of the maxims are explained.

The only thing more dangerous than not having security is having a false sense of security (poor deployments of security)

Most times it is the presence of processes and technology tools that give a false sense of security in organizations. Security teams go through implementation of security tools and technologies in the hope to secure their networks, data, critical assets and intellectual property.

Advertisment

And then there is the boasting of proponents of security experts about the "fool proof" and impressive security posture. Ultimately this will lower the guard of the organization, which is the biggest vulnerability of it all. Moreover, the reality is that in many cases these tools and technologies do not translate to improving the security posture of the organization.

Key Actions: More than purchasing security paraphernalia, it is important to implement it correctly. Not all organizations have the requisite skills in-house for this. CISOs should look out to a managed security services provider who can help achieve effectiveness in deployments of security.

In security, it is advisable to spend focused rather than exhaustively (use only those solutions that are relevant)

Advertisment

Nolan Jones, Director of eGovernment Innovation at NIC, USA says, "A healthy dose of paranoia is a good thing when it comes to computer security. It sometimes seems that every person with a bad agenda is trying to attack your systems (and that just might be the case)."

Although there is nothing like "too much security", there is indeed the risk of "too much trust in security". Expensive, new, improved and number of security systems does not make "too much security", in fact, it may not even make "adequate security".

What is important is to understand the business well, identify what assets are to be secured and use what is relevant. Everything else is wasted exercise and of course wasted money! In an environment where security spending is still frowned upon, it is pertinent to make the best use of investments.

Advertisment

Key Actions: CISOs should identify the critical security checkpoints in the infrastructure and application landscape and then develop requirements. They should not fall prey to marketing sounds and put the cart before the horse. If required, help from an external consultant for an effective gap analysis audit may be taken.

Digging a well when the fire has started will only leave you with a burned house (be proactive and don't wait for an incident to prove the reality of a threat)

Reactive approaches to security are rampant across the industry. From national security to building and airport security to network and information security, security measures are always in reaction to an event.

Advertisment

Proactive approach by far is the best approach - although it is easier said than done. Proactive approach will help CISOs put themselves in the attackers' shoes. They will be able to see the opportunities that the attackers are looking for, as well as the vulnerabilities before an event, and will be able to patch them with solutions or tools before a breach.

Key actions: CISOs should convince their CIO/CEO and the board that security threats are for real. A quick PoC (Proof of Concept) should be done using service provider's tools to identify potential security gaps that need to be closed.

Security contributes to your topline and bottom line (higher availability, eliminate regulatory penalties)

Advertisment

If proactive security approaches can help prevent breeches, that in itself is huge in savings considering the damage caused to organizations in terms of financial, reputational and legal issues. Compliance and regulatory scenario is another reason to quickly start changing the approach of security - regulatory and legal penalties can be avoided too.

Letting experts handle an organizations security helps increase availability of critical systems that businesses are so dependent on today. It is important to understand the top and bottom line benefits of security while putting a security plan in place.

Key Actions: CISOs should champion the cause of security as a business enabler, because lack of security will only lead to loss of business. It leaders should take the time to educate business line heads and P&L owners of the impact of security risks in terms of financial loss.

Advertisment

If the carrot doesn't work, the stick will. (Compliance pressures will ultimately catch up)

As mentioned, compliance is only getting stringent. It is key that security posture of the organization plays a critical role in adhering to stringent compliance norms, especially in industries such as BFSI, Healthcare, Pharma, etc.

If the security slackens, soon the government will get involved. If the carrot of business benefits does not work, the compliance stick will do the work. And, it is to be taken really seriously today - classic example is the news about the ousted CEO of Target due to data breach at the company.

Key actions: CISOs should identify the relevant compliance measures and the corresponding security perspective associated with them. Taking help from a managed security services provider or security consultant can greatly help in identifying and addressing these compliance needs.

(The author is General Manager, Product Development & Marketing, Netmagic - An NTT Communications Company)

tech-news experts