What are the top things we have learned from performing 200+ security audits?
1. The “major issues” do not change
Good security is good security, and you can think of the major security issues as being giant “targets” within your organization. Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc. These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets smaller are the goals of a good security program.
2. Security is a moving target
Even though the “major issues” (the targets) do not change, do not confuse this with thinking that these targets are stationary. Once the targets have been identified, key performance indicators should be established so that the targets can be measured and constant improvement can be realized. As these “targets” move around, they have the tendency to grow over time. If your security program does not have a component of measurement and constant improvement, your “small targets” can quickly become large enough for the bad guys to see. Just because you did well yesterday, doesn’t mean you will do well tomorrow unless you are able to keep pace with those moving targets.
3. Most people like the “idea” of being secure
It holds true that almost everyone likes the “idea” of being secure. Far less actually want to take the steps to become “secure”, usually due to one or more myths:
- Cost – they believe they require an expensive “widget” to achieve their security goals
- Effort – the time/manpower simply does not exist (and cannot be prioritized)
- Impact – the changes proposed will affect the user population too greatly
- Denial – that will never happen to us OR we are already secure
At the end of the day, security comes down to making risk-based decisions. If these risk-based decisions are accurately recorded and measured, the decision of mitigating these risks should be an easy one:
What are the potential consequences if I do NOT do this?
4. That’s not “security” related
Usually, at some point during an audit interview (usually multiple times) when discussing a topic (almost any topic), some detail is revealed that elicits the response “that’s not security related” from the client or user. We find that people often have a hard time relating everyday events to security issues. They understand that if there is a “hacker” or a “virus” it is a security issue, but may not view things like service interruptions or high resource utilization as “security” related.
5. Gadgets and gizmos will not make you secure
One of the mantras that we regularly preach to our clients is that security is all about the “process” not the “product.” We do this because of the large number of people who believe that “If I buy the latest HyperWall from DarkPlus with the VisorNet addon, I will automagically be secure!” No matter how much we would like for our gadgets to be plug-and-play, if there is not some form of human interaction on the back end, the tool will become stale and less useful over time (or it may not have ever worked, to begin with). You should always try to measure the state of your security products/programs and strive to improve them over time in order to be effective.
We hope that these five keys will help you better evaluate your security. If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.