By Zach Malone, security engineer, FireMon
During this time of year, we see endless articles projecting predictions for the year ahead. And while predictions can help organizations prepare for potential new technologies, processes and other developments that might impact their business, they can also be wrong. That’s why there’s tremendous value in looking into the rear view mirror this time of year, rather than guessing what’s around the next corner. By assessing common trends that emerged over 2018, you can make the necessary changes and investments to make 2019 a truly happy new year.
With this in mind, here are three common security mistakes that organizations made in 2018, along with best practice recommendations to help you avoid or eliminate them in 2019.
- Operating with a “Business Trumps Security” Mentality.
From increasingly sophisticated cyber-criminals to an ever-expanding attack surface, too complicated IT infrastructures, there’s no question that today’s cybersecurity landscape is complex. So complex, in fact, that some organizations are opting to bypass security altogether rather than devote the time, resources and budget required to implement security properly.
The tug of war between the business and security is especially apparent within DevOps. With the emergence of agile development and continuous delivery, DevOps teams can now develop and bring new apps and services to market faster than ever before. But, security hasn’t been able to keep up. As a result, security is often a “bolt on” at the end of application development processes, if it’s considered at all, and the process of provisioning policy rules for new IT assets often slows deployment by days or even months, causing many DevOps teams to perceive security as a “roadblock” to IT deployment.
Best Practice Recommendation: In most organizations today, business trumps security, but neglecting security because it slows down business practices is not practical or beneficial. To align DevOps and security teams and move security from an afterthought to the forefront, organizations must:
- Develop a DevSecOps model, where security teams are fully integrated into the DevOps process from the start, rather than being left as an afterthought. This model allows security professionals to become part of the overall DevOps workflow, creating and implementing security functions, policies and controls throughout the application development cycle.
- Adopt an “intent-based” approach to security, which templatizes and automates how security policies and rules are generated and applied to new IT assets based on the “intent” of each. By understanding the intent of all network assets, security professionals can templatize rules and policies, and automatically apply them to new DevOps deployments.
The combination of DevSecOps and intent-based security greatly increases the probability that IT assets have the right rules and profiles assigned and that DevOps teams can move as fast as they need to without introducing new security risks – in other words, organizations can finally achieve the security that moves at the speed of business.
- Failing to Report on Security in a Way Business Leaders Can Understand.
Security teams often struggle to demonstrate the value their investments and operations bring to the business, prompting many C-level executives to see security as nothing but a cost center. This is problematic for two reasons: 1) security professionals are often left out of business strategy, making it more difficult for them to secure corporate data and systems, and 2) when costs need to be cut, security is often first on the chopping block, leaving organizations vulnerable to attack and subject to compliance fines.
Best Practice Recommendation: Security is a business problem, and one of the best ways to get executives to understand this is by implementing metrics and key performance indicators (KPIs) that illustrate how security spend is mitigating the organization’s security and compliance risks – and doing so in a way that business leaders can understand. For example, showcase how a particular security investment helps the organization adhere to industry regulations, such as PCI DSS, HIPAA or GDPR, and avoid compliance fines, which, in some cases, can total millions of dollars. Or, demonstrate how security investments mitigate the risk of a data breach, along with its associated consequences, such as reputational damage and a loss of customers.
It might also be helpful to compare security to insurance policies to help business executives better understand its purpose. People purchase home insurance so they’re covered in the event their house is damaged in a burglary, from a fire, from a natural disaster, etc. Most people know the chances of ever needing to cash in on their policy is low, but they don’t want to take the risk of going without protection. Security investments work in much the same way. Security teams hope to evade the attention of cyber-criminals, but they want the tools in place to mitigate risk and make sure their organization is protected in the event of an attack.
- Mistaking Technology as a Security Policy.
Organizations often fall into the trap of defending against new cybersecurity threats with technology procurement. They’ll buy the latest and greatest point solution and consider it their security “policy.” Not only does this result in complex, costly and difficult-to-manage infrastructures, but it introduces tremendous security and compliance risks.
Best Practice Recommendation: Security policy should extend beyond technology to also include people and processes:
- Technology – Rather than implementing “a tool for every threat,” organizations should consider a more holistic approach to security that focuses on using a subset of security tools that are specifically designed to address the organization’s unique risk profile.
- Processes – Security policies must include clear, prescriptive processes that help the organization continuously validate that technology is working, learn and follow security best practices, and maintain the desired state of security.
- People – Having a written policy is only worthwhile if it’s followed by all personnel – from C-level executives, down to entry-level employees. If executives aren’t setting a good example by following security best practices, then the rest of the staff will assume security isn’t a priority. A company’s security policy should be as important as its mission statement, and it should permeate all aspects of an organization’s corporate culture.
Learning from the Past
To stay one step ahead of the bad guys, organizations, vendors and other security organizations need to work collectively and learn from each other. By assessing security wins and weaknesses (both their own and their colleagues’) from the previous year, organizations can improve upon their security programs and start 2019 with the upper hand over cyber-criminals, who have held the reins for far too long.
About the Author
With more than a decade of experience, Zach Malone is a seasoned security engineer specializing in cybersecurity, compliance, networking, firewalls, IoT, IPSec, system deployment and orchestration. At FireMon, Zach delivers technical demonstrations and proof-of-concept evaluations to move prospective customers from service assessment to purchase. Prior to joining FireMon, Zach was a security engineer at Cadre Computer Resources Co., where he helped organizations of all sizes design implement, support, and test security products and operations. Before that, he served as a Diamond/Escalation engineer at Check Point Software Technologies and a network administrator at Choate Professional Communications and Infrastructure. Zach attained the CISSP certification in April 2018