With the steady drumbeat of ransomware stories in the news, you’d think security hygiene would also be front of mind for the media that caters to CISOs and their teams, but in truth there is limited commentary about this important subject.
Instead, there’s a growing perception that companies need new security technology to help them ‘fight ransomware’ but this isn’t always the case.
The ugly truth is that we are still seeing the same kinds of attacks today that we saw in the 90s. Attackers are still taking advantage of humans because they are the weakest link. Even with a rigorous security training program and technology controls designed to limit the damage, users are still prone to click on links when they shouldn’t.
So, what can you do? The logical thing is to fix the underlying weaknesses that are open to exploitation. This isn’t the sexy stuff... I’m talking about cleaning up your access management program, improving vulnerability and configuration management, and making sure your systems are patched. You know – all that basic, boring, old school stuff. This is what should form the foundation of your security program.
Every organization has security standards and policies that cover security basics; often we go to great lengths to get these policies written and approved. However, it’s pretty rare for companies to have these programs fully implemented – which doesn’t make a lot of sense. If you don’t implement, measure and improve the policies that cover all the security basics then they become nothing more than another piece of paper.
Implementing policies to drive measurable improvement for vulnerability management or IAM programs requires a good deal of work. You have to build a business process that focuses on how your organization manages, measures and self-reports on how well you’ve implemented these basic programs.
CISOs and security teams can sometimes neglect compliance and policy work because it is time consuming and not very visible. After all, you’re not going to get a lot of recognition for making sure that your cryptography environment actually enforces important standards such as key length and validity periods.
It’s far easier to start talking to a new security vendor who promises that, if you buy their stuff, the latest threat du jour won’t get in. That might be more interesting, but you’ll get better results if you take the hard line and say that you’re not going to chase any new technologies until the ones you already have are operating as effectively and efficiently as possible.
When someone in my organization suggests a new security tool, I always think about whether the perceived need for the new tool is because we aren’t practicing the fundamentals. Often, we can improve our hygiene enough that we don’t need the new stuff at all. For example, if you’re thinking about buying some new ransomware tools to protect your organization, it is always worthwhile spending some time looking more critically at your vulnerability management and patch programs as a first step. I think of security hygiene as a way to hold your security program up to a mirror. It’s similar to the way you look at yourself every morning to assess your personal hygiene – how well you’re doing with the security equivalent of combing your hair and cleaning your teeth. Ask yourself how effective you are at measuring yourself against your security threats. And while you’re at it, ask yourself if you and your team value the work that’s associated with security policy implementation. Does your team, or any of the teams you rely on, get recognition for doing this difficult work?
Granted, this approach requires discipline and focus, but it pays off. You’ll maximize the security investments you’ve already made. Because you’ll have a much better understanding of your real risk posture, you’ll also be able to respond more effectively to a wide range of security threats. And your security budget won’t grow as quickly, which is always good news for your executive team. I’d like to challenge all of my peers to make a serious commitment to operationalizing all of their carefully crafted security policies. You’ve invested the resources necessary to build and standardize them; now, instead of investing in a new ‘silver bullet’, spend your valuable resources fully implementing them. It won’t be easy, but it will be worth it.