The IT security industry is notable for a variety of reasons. Perhaps, though, the most notable hallmark of the current state of security is the duality found in just about every aspect of the industry. To succeed, though, we need to find some middle ground.
Now, to be fair, I do see some middle ground. Believe it or not, I’d point to security vendors as perhaps the poster children of my point. These organizations have an interesting mix of competition and collaboration. Each creates its own product or service, whether it’s a data loss prevention (DLP), antivirus, antimalware, or encryption. These companies still work together to identify and quantify the state and nature of emerging threats. They readily share information about the newest sophisticated strain of malware, the cleverest phishing exploits, or newest man-in-the-middle attacks.
For the rest of the security market, we often find ourselves picking between one side or another of two seemingly diametrically opposed thoughts. There are at least three that come to mind immediately for me.
Compliance vs. security
For a long time, compliance concerns have driven security spending. Many industries have compliance requirements: for the financial industry, there’s the Sarbanes-Oxley Act of 2002; for healthcare providers, there are tasks created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and retailers live under the Payment Card Industry (PCI) Data Security Standard (DSS).
In the past, organizations, especially small and midsized businesses, have felt relatively safe, and so have let compliance rule their security spending. Now, targeted attacks are being focused on SMBs more than ever before — and these businesses need to think about getting beyond check-box compliance to actually secure the intellectual property, data, and systems of the organization.
At the same time, compliance demands remain important — and can’t be neglected. We need to realize that compliance does not equal security, nor is the reverse true. We have to address both in order to succeed.
Ease of use vs. security
The conventional wisdom in many organizations is that users won’t adhere to security practices that are inconvenient. To a certain extent that’s true. Users often try to work around technologies, systems, and requirements that seem to impinge on their productivity. In fact, organizations have found that users abandon antivirus apps that slow down the system. Often, these same users eschew encryption technologies for the same reason. And, of course, the password conversation never ends: users continue to use the same password over and over, write their password on slips of paper, share login credentials with other employees, and the rest.
Businesses cannot let this reality force them to abandon the goal of creating a secure organization. Ease of use should certainly be a keen consideration when choosing and developing security systems. At the same time, creating and enforcing corporate policies around security, and backing up those policies with regular and effective end user training, can go a long way to strengthening users commitment to security standards even when they are a bit inconvenient.
Prevention vs. remediation
Another technology-based conversation that abounds is the debate about whether to focus on preventing security snafus or invest in technologies that offer forensics and other remediation capabilities. On the one side, IT pros are convinced that some combination of technologies can secure the organization. Meanwhile, remediation fans believe that breaches are inevitable, so the focus should be on getting the organization back on its feet, rather than throwing good money after bad, hoping to lock predators out.
Of course, few organizations fall completely in one of these camps or the other. On the other hand, SMBs face an emerging reality that they are caught in the crosshairs of cybercriminals, and are fighting the fight with minimal budgets and limited expertise.
Ending the digital divide
Sometimes, it’s comfortable to choose sides. It makes it seem as if the ultimate solution is clear and easy. When it comes to IT security, though, we need to abandon this type of black and white thinking and adopt a more analog model. (To offer one analogy: I’m talking about replacing the on/off switch with a dimmer switch.) It’s much harder work to create solutions that drive both compliance and security, to provide users with solutions that are both easy to use and secure, and to create a security stance that address what happens before, during, and after an attack. As an industry, we need to move away from our either/or thinking and create technology and best-practices that allow for a both/and stance. The middle ground of security is where true security lies.