Far too many corporates are not doing enough to secure their digital assets and data. When an incident occurs it is usually blamed on the increasing number of threats, and their growing cleverness and sophistication.
“They also blame the rise of state-sponsored threats, hacktivists, custom malware and new attack vectors,” says Lutz Blaeser, MD of Intact Software Distribution, a distributor of Bitdefender.
There’s no doubt, he says, that security practitioners are in the hot seat, as their opponents get better and better, and are often better funded. “At the same time, trends such as mobility, the Internet of Things, cloud and big data are on the rise, bringing with them a whole slew of security issues.”
According to Blaeser, there are several mistakes security teams are making that are sabotaging their efforts. “Firstly, they are not aligning properly with the business teams. Properly aligning with management means adopting risk-based frameworks that assist organisations to pinpoint the risks they face, as well as prioritise them based on the nature of the specific risk.”
Adopting risk-based frameworks takes time, and a massive amount of effort. However, as it is being developed, security teams will find better ways to collaborate and work alongside the business, and will ultimately get a better understanding of the business needs.
“Another mistake security teams are making is depending on technologies too much. Security solutions have come a long way, and are getting better and better at detecting advanced attacks, controlling identities, and carrying out data analysis of logs and system events. Automation is also improving things, but we need to remember that security is much more than software and dashboards.”
To properly secure the business, the first step is understanding. “This means understanding the business, what its most valuable assets are, where they reside in the system, and then making sure security resources are properly allocated to ensure the most important proprietary data is protected. This requires more than just security tools and controls, but a thorough understanding of the mechanisms and details of the business.”
Another way in which security teams are going wrong, says Blaeser, is they do not try to understand where business users are coming from, and what their needs are. “Most people are just trying to get their work done, and deploy new apps and technologies, or make the existing ones better. The security team needs to vet any changes for how they may impact on security posture, and give feedback on effective tools to lessen or mitigate the risks and what if anything the costs involved are.”
Unfortunately, most security teams are too wrapped up in security, and simply veto any new initiatives, instead of trying to make them happen in a safe and cost-effective way. “When this happens, the business users tend to ignore security and simply bypass it as they try to get the tools they need. This isn’t helpful to anyone,” Blaeser says.
Security is more than just an ICT issue, it permeates every corner of the business. “Everyone needs to be involved, from C-level execs, to managers, to users – and don’t forget contractors, suppliers and other third-party partners. Times are tough for those in the security game. They are facing highly funded and motivated opponents, not to mention malicious or careless insiders who wreak havoc. This is why security teams need to work with the organisation, and do everything in their power not to sabotage their own efforts,” he says.