From a Fragile Security Posture to an Agile Security Program

Connie Barrera, Director of Information Assurance and CISO, Jackson Health System

On a daily basis company breaches continue to make headline news. These reports have become so common that folks have no doubt become desensitized. From consumers to an organization’s board, we find individuals resigned to the notion that it’s no longer a question of “if” but instead a question of “when, will an organization get hacked?” Albert Einstein said the definition of insanity is doing something over and over again and expecting different results. That’s exactly what we’ve been doing with our IT security programs.

  Some of the biggest headlines in breaches revealed that it wasn’t a lack of technologies or alerts, but that the staff failed to act 

Breach statistics from 2004 to present, of the World’s Biggest Data Breaches, depicts clear evidence that every business sector is vulnerable and even more alarming, no amount of wealth seems to be stopping the plague of attacks. What are we missing?

Let me count the ways

Putting action behind rhetoric: Overtime, and as a result of all the buzz surrounding Cyber Security and breaches, senior leadership has become quite effective at articulating the problem as well as their support for a security program. A big gap though, remains between words and actions. Less than 50 percent of organizations today have a Chief Information Security Officer (CISO) on staff. With or without a CISO, security programs continue to struggle for both funding and/or staffing needs.  No amount of effort will take you further, if you’re simply running in a hamster wheel.

Poor fundamentals: Most would expect in the age of virtualization, cloud, and Internet of Things (IoT), surely we’d be quite sophisticated with security by now. Not so fast. While there are exceptions to everything, most organizations continue to struggle. In the halls of IT, blogs, social media and even the evening news, we constantly hear about Cyber-war, Cyber-attack, Cyber-espionage. Cyber Security quite simply starts with a sound network architecture and strategy fundamentals. Most organizations are faced with archaic architectures and technologies that are not easily replaced, for any number of logical reasons.

Think about this, how effectively does your organization remediate operating system vulnerabilities? Do you even have a process in place to detect and fix these issues? How efficiently and quickly are OS patches applied month after month, not to mention patching for 3rd party applications which many times are the biggest avenues for hackers?  What you’re left with is a recipe for disaster.

To compensate, for this lack of solid fundamentals, the traditional approach is to throw technologies at the problem. Ironically, most of the times the technologies and their capabilities are either under-utilized and/or poorly understood. Many times we also find the adoption of many solutions is motivated by their position on a magic quadrant, as if that in itself will solve all our issues. On most days, staff runs around putting out fires and paying little to no attention to the broader picture.

From reactive to proactive: How do you change tracks on a bullet train going full throttle? I’d say very carefully and with surgical precision. To start, you must ask the right questions which include:

• What are the mission, vision, and goals of my organization?
• What are we trying to protect?
• What is our security strategy?
• Where are the security gaps?
• Is the staff appropriately trained to make the best use of these technologies?

Regardless of the level of support executive leadership provides the CISO, good or bad, the inputs above will provide the hard core facts needed to sustain the focus, funding and attention needed by every security program.

For many years, IT operated in a silo, serving up new technologies with little to no consultation with the business. What you wound up with was a workforce constantly struggling to find logic and constantly asking, “Why is IT doing this to me?” Depending on the maturity of an organization, there are varying degrees of collaboration with other divisions. We must all realize that not until we’re in lock step with those we serve, and strategically aligned with the mission, goals and vision of the organization, we will continue to fail. This implies getting out of our offices, walking around, talking to the right people as well as touching base with everyone. The success of security controls very often depends on individual adoption/buy in. Finding creative and innovative ways to keep an organization safe is never ‘out-of-the-box’. As security professionals, let’s own this reality “how” will make or break us and our programs.

A recipe for success: Success begins with competence and engagement by all members of the security team and a passion for what they do. It then extends out to members of the IT division realizing and accepting their respective roles with IT security and ultimately ends with the rest of the organization understanding security is everyone’s responsibility. A robust security program is one that has minimized the noise, through the hard work of analyzing solutions currently deployed, figuring out what’s working and what’s not and ultimately making changes over time.

For every new solution you adopt, ensure you understand the following:

• Platform/Operating systems
• Program languages
• Authentication and authorization
• Interfaces
• Databases and associated capabilities and expected configurations
• Processes and port requirements
• Patching constraints
• Web based configurations
• Data flow
• Does this environment conform to your security architecture, if not, are you able to persuade the business to a solution that does?

For every environment you should:

• Determine if this adoption creates policy gaps or a need to edit existing policies
• Create detailed installation/configuration procedures
• Develop an operations manual
• Document the data flow in detail
• Perform monthly OS vulnerability scans
• Perform monthly web application penetration testing
• Perform a monthly control audit
• Perform quarterly user access reviews
• Consolidate audit logs
• Correlate all logs into actionable intelligence

A robust successful security program will take time, dedication and team work within and outside of the IT division. Stop the insanity by taking a pause and start making small but significant changes that will ultimately allow your organization to be a strong adversary for hackers and increase the overall efficiencies and success not only for the security team and the IT division but more importantly to the organization as a whole.

Read Also

The Critical Future of Identity and ACCESS MANAGEMENT

Joseph Carson, Head of Global Strategic Alliances, Thycotic

It's a Huge undertaking to do this...

Jim Routh, CSO, Aetna [NYSE: AET]

The Role of Encryption and HSMs in Creating Trust

Peter DiToro, VP of Customer Services, Thales e Security

3 things CIOs and CISOs Need to Know to Keep their Company Secure

Malcolm Harkins, Chief Security and Trust Officer, Cylance