The IT security industry is notable for a variety of reasons. Perhaps, though, the most notable hallmark of the current state of security is the duality found in just about every aspect of the industry. To succeed, though, we need to find some middle ground.
Now, to be fair, I do see some middle ground. Believe it or not, I’d point to security vendors as perhaps the poster children of my point. These organizations have an interesting mix of competition and collaboration. Each creates its own product or service, whether it’s a data loss prevention (DLP), antivirus, antimalware, or encryption. These companies still work together to identify and quantify the state and nature of emerging threats. They readily share information about the newest sophisticated strain of malware, the cleverest phishing exploits, or newest man-in-the-middle attacks.
For the rest of the security market, we often find ourselves picking between one side or another of two seemingly diametrically opposed thoughts. There are at least three that come to mind immediately for me.
Compliance vs. security
For a long time, compliance concerns have driven security spending. Many industries have compliance requirements: for the financial industry, there’s the Sarbanes-Oxley Act of 2002; for healthcare providers, there are tasks created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and retailers live under the Payment Card Industry (PCI) Data Security Standard (DSS).
In the past, organizations, especially small and midsized businesses, have felt relatively safe, and so have let compliance rule their security spending. Now, targeted attacks are being focused on SMBs more than ever before — and these businesses need to think about getting beyond check-box compliance to actually secure the intellectual property, data, and systems of the organization.
At the same time, compliance demands remain important — and can’t be neglected. We need to realize that compliance does not equal security, nor is the reverse true. We have to address both in order to succeed.
Ease of use vs. security
The conventional wisdom in many organizations is that users won’t adhere to security practices that are inconvenient. To a certain extent that’s true. Users often try to work around technologies, systems, and requirements that seem to impinge on their productivity. In fact, organizations have found that users abandon antivirus apps that slow down the system. Often, these same users eschew encryption technologies for the same reason. And, of course, the password conversation never ends: users continue to use the same password over and over, write their password on slips of paper, share login credentials with other employees, and the rest.
Businesses cannot let this reality force them to abandon the goal of creating a secure organization. Ease of use should certainly be a keen consideration when choosing and developing security systems. At the same time, creating and enforcing corporate policies around security, and backing up those policies with regular and effective end user training, can go a long way to strengthening users commitment to security standards even when they are a bit inconvenient.
Prevention vs. remediation
Another technology-based conversation that abounds is the debate about whether to focus on preventing security snafus or invest in technologies that offer forensics and other remediation capabilities. On the one side, IT pros are convinced that some combination of technologies can secure the organization. Meanwhile, remediation fans believe that breaches are inevitable, so the focus should be on getting the organization back on its feet, rather than throwing good money after bad, hoping to lock predators out.
Of course, few organizations fall completely in one of these camps or the other. On the other hand, SMBs face an emerging reality that they are caught in the crosshairs of cybercriminals, and are fighting the fight with minimal budgets and limited expertise.
Ending the digital divide
Sometimes, it’s comfortable to choose sides. It makes it seem as if the ultimate solution is clear and easy. When it comes to IT security, though, we need to abandon this type of black and white thinking and adopt a more analog model. (To offer one analogy: I’m talking about replacing the on/off switch with a dimmer switch.) It’s much harder work to create solutions that drive both compliance and security, to provide users with solutions that are both easy to use and secure, and to create a security stance that address what happens before, during, and after an attack. As an industry, we need to move away from our either/or thinking and create technology and best-practices that allow for a both/and stance. The middle ground of security is where true security lies.
Hailey the last part of your article really caught my attention and it is that really we can sit around and try to point the finger when things go wrong or we can try to work together to build a greater solution. Synergy I guess would be the appropriate term where together we could work to make a better solution that we could have made on our own. On top of that the changes for knowledge transfer and education alone could be worth the venture.
Jonathan, it’s true that too often finger-pointing can hamper an investigation, but equally, do you need a little bit of that, to make sure people don’t make the same mistakes again? But only after the investigation and the remedy have been enacted.
@ Jonathan, I think partly its a CYA maneuver in which people want to make sure that teh blame is pointed in another direction. On a technology note, i think that organizations like to believe that it’s possible to create a protection strategy that will cover every eventuality so there is a resistance to talkinga bout what to do after a breach occurs. I think that if organizations look clearly at the security landscape it should be really clear, though, that the secrurity threats are outpacing our ability to manage and contain the threats. It’s unwise to think that… Read more »
@ Jonathan, I think partly its a CYA maneuver in which people want to make sure that teh blame is pointed in another direction. On a technology note, i think that organizations like to believe that it’s possible to create a protection strategy that will cover every eventuality so there is a resistance to talkinga bout what to do after a breach occurs. I think that if organizations look clearly at the security landscape it should be really clear, though, that the secrurity threats are outpacing our ability to manage and contain the threats. It’s unwise to think that… Read more »
@ Jonathan, I think partly its a CYA maneuver in which people want to make sure that teh blame is pointed in another direction. On a technology note, i think that organizations like to believe that it’s possible to create a protection strategy that will cover every eventuality so there is a resistance to talkinga bout what to do after a breach occurs. I think that if organizations look clearly at the security landscape it should be really clear, though, that the secrurity threats are outpacing our ability to manage and contain the threats. It’s unwise to think that… Read more »
@Robert Brown, i think the secret here is to make sure that teh focus is on “What happened” rather than “Who did it”. (unless of course you think you have a bad apple that is either unwittingly or on purpose putting the organization at risk). You have to put the focus in a broader circle… Was it that we protected the front door and back door of hte organization but missed a window? Was it that the newest threat outpaced the current security? Is it new or emerging? Do we need antoher layer ofs ecuriyt? Do we need a new… Read more »
I’m somewhere in the middle here. While I think it’s also important at times to find out who did it, the ‘What happened?’ part is also incredibly crucial. The first, to check out motive and perhaps evaluate their position. The second part, obviously to learn from the experience and work to make sure that it doesn’t happen again.