After nearly 20 years in the security industry, I’ve seen my fair share of the good, the bad, and the ugly. I’ve had countless opportunities to help companies improve, but when it comes to security problem solving, I first like to frame my thinking with a couple of non-technical principles I’ve seen at the root of many security pains.
If you’re new to security, need a refresher, or have security personnel reporting to you, here’s a brief list to think about. I plan to unpack these and several more in separate posts…
There are no silver
bullets. Technology does have a role to play in managing threats and
vulnerabilities, but hardware and software are created,
sold, deployed, and managed by people — what you buy, why you buy it,
who installs it, and how it’s managed are all influenced by humans. To err is human.
Trying to protect everything is expensive and overwhelming, so don’t try it. Find what’s important, learn how it’s used, and who uses it. Track how it flows through the network and out of the network, i.e. laptops, email, ftp, etc. You may not like what you find. Isolate sensitive data and focus your prevention, detection, and response safeguards there.
Why you secure something can be more important then “how” you secure it. The “why” should be driven by Federal, state and local law, customer contracts, and goals set by senior management. This can make justifications easier and get everyone on the same page.
Security incidents will happen – they cannot be avoided, so plan for failure, knowing that a quick response means a lower impact. If you build a “bigger wall” anticipate a “taller ladder” — it will come. If Google and the US Federal government can be hacked, so can you.
Communication is king. Everyone in the organization has a role to play in security. Playing “network God” alienates people and causes dissent. Don’t barrage end-users, managers, and C-types with techno-babble, jargon, and FUD. Educate users, communicate risks in meaningful ways, and understand the business.
By no means is this a complete list. Drop me a note with some non-technical rules of thumb that you’ve found effective.