We live in a different world than the one we lived in years ago. Most security professionals were content to have time to play with some logs, install a new Intrusion Prevention System, or get a sample of malware and try their hand at reversing. Generally, most security professionals were relegated to a world of firewall administration, user authentication, and compliance (let alone the value-add security documentation that goes along with that…). As we’ve continued to see, times have changed and CISO’s and their teams are expected to do considerably more now.
As I proceed with my end of the year routine, which includes setting goals and resolutions internally for my team, as well as externally for myself, I thought I would share my major Information Security themes for 2015.
- Quit Wasting Time.
Hackers do not work according to your schedule. There is no such thing as “end of year” or “holiday weekend”, and there hasn’t been for some time in the cyber realm. Making plans to “get started” after a holiday or a weekend is exactly what adversaries expect you to do and is why they will continue to exploit companies with that mentality. Spending months doing POC’s on technology, putting off hiring or budget requests, waiting to deploy technology and other approaches that introduce unneeded delays are tactics proven to fail. Accelerate everything now.
- Focus on Security, not Compliance.
Compliance has failed us. Prevention has failed us. How many attacks need to be reported by the largest companies in the world for CIO’s & CISO’s to rethink their approach? The companies that are successful in information security understand that the only proven means of mitigating damage by attackers is to spend resources on detecting and responding to attacks- identifying them and shutting them down as quickly as possible before they escalate. Would you rather be out of compliance and pay a fine, or deal with a crippling Sony-like attack which will end up costing your company hundreds of millions of dollars?
- Be Proactive Defending your Network.
Even if you have an internal SOC & IRT, or an external MSSP provider, you still need to proactively look for threats on your network outside of the normal day-to-day operations. Either leverage your internal teams to hunt for anomalies that signal compromise on your network, or hire an outside firm to do it for you. You can find more tips on a recent post I did about hunting. Incidentally, penetration testing is not hunting.
- Invest in & Hire New College Graduates.
Last, but not least, it is common knowledge that there are not enough Information Security professionals in the world. Don’t waste months hoping and trying to find the right candidate or worse- throw your hands in the air and claim you simply can’t find anyone. Take the time to open headcount dedicated to hiring information technology graduates from your local college and put them into information security roles. You’ll be surprised how quickly they grasp the concepts and add value to the organization.
What you don’t see in these resolutions are items related to Intel, Mobile, or Cloud; those are simply realities we have to live with. What these resolutions represent is a mind shift and ultimately adjusting the way organizations operate. They won’t be easy, and in many cases will be considerably hard to execute on. However, a new way of thinking and conducting ourselves as Information Security Professionals is required, to have any chance of being successful and taking back control over our networks.
As always, I’d love to hear feedback, so feel free to reach out to me on Twitter @SeanAMason.