Most organizations today don’t really know how much their information is worth, which tends to make securing data across an enterprise an exercise in futility for many IT security professionals. Greg Touhill, a retired brigadier general and former CISO for US Government, says that conundrum results in organizations spending $100 to protect information that is only worth a dollar, while simultaneously not spending enough money to protect critical intellectual property.
Too many organizations still think of IT security as a technology problem rather than an exercise in risk management. Information is clearly one of the most valuable assets an organization possesses. But most organizations are not entirely sure who has access to that information; let alone what it might be worth. When it comes to IT security there are five fundamental concepts that IT security professionals need to make sure their organization master:
- Risk Management: No organization has an unlimited security budget. It’s not possible to defend every piece of data equally. Business leaders need to identify what data is most critical to defend. IT security professionals need to be able to convey what those risks are in a language business people can understand.
- Procurement: Security issues need to be addressed as part of the procurement process. Too many organizations are still running obsolete equipment that is impossible to proactively secure. Products and services consumed by organizations or created by the internal IT team need to be secure by design.
- Harden the Workforce: Most security breaches occur because of human error. Money spent on training the workforce how to recognize security threats always results in a higher return than investments in security technologies. Regular spearphishing drills should be required for all employees. Reliance on usernames and passwords is a recipe for trouble.
- Implement a Zero Trust Model: Once a system is breached it’s far too easy for them to compromise other systems by moving laterally across the network. A Zero Trust Model makes uses of micro-segmentation to contain a breach.
- Don’t Chase Fads: Chances are that shiny new technology somebody is dying to implement is not all that secure. IT organizations need to exercise patience while waiting for new technologies to mature.
Most hackers are going to seek out the path of least resistance. Cybercriminals are not going to take the time and effort required to launch a zero-day attack when a scan shows that some piece of software has been unpatched, or end users are willing to download malware hidden in an email or infected web site. Independent audits, penetration testing and bounty programs for discovering bugs in software should all be part of the strategy to strengthen security, adds Touhill.