When it comes to security, what are your biggest problems?
Today’s climate unfortunately has not gotten much better when it comes to cyberattacks and data breaches. Regardless of your industry—healthcare, financial, service, or manufacturing—your network is vulnerable to attacks that nation states (or even 12 year old kids!) may be implementing off of our shores and out of our nation’s jurisdiction.
Given the sheer number of criminals drawn to penetrating vulnerabilities in networks, cybersecurity has not gotten easier in 2019 (and many experts believe this insecurity may continue to manifest in our organizations for years to come).
When it comes to cybersecurity in 2019, many experts agree that simply focusing on bigger or better technologies is not the heart of the problem. Research and development, while useful in creating easier products or safer devices for our users to interact with, is not the golden ticket to security solutions.
Today I want to walk through 4 areas that are often holding organizations down when it comes to making sure their businesses are secure for modern threats.
Complexity—for better and for worse, our networks have become more complex over time. We have more devices connected to these networks, some moving across networks and others coming in remotely. There are collaborators that need to connect to our data, vendors that ask for access and users that might need a variety of permissions or accessibility (depending on what they are working on at a given time). What I’ve noticed over the course of the last 5 years is that complexity in our networks—and hence a lot of our security efforts—has increased to levels we might not have imagined prior to the advent of ransomware viruses locking down networks.
The sheer array of functions and initiatives that a security team needs to implement to confront complexity can often be staggering. The architecture needed to design and integrate security within a network as it increases in complexity leads to gaps between technologies. If your business is not considering how your network security is impacted as your organization grows or changes, you may be introducing gaps and vulnerabilities simply because the original network was never intended on accommodating so much change.
Gaps—gaps are always going to be present in any organization’s security. Think about your physical security. At some point, you probably have noticed a door in your building cracked open when it should have been shut, a gate left unlocked, or even a filing cabinet or computer screen with confidential information left for others to see.
When it comes to network security, we are dealing with similar items, especially when it comes to change. As you decide to upgrade software (or keep old software on your network when many are moving to a newer platform), gaps pop up in networks. In recent years, the scope and variety of gaps you’ve had to face as an organization has increased significantly. We can no longer simply map a gap to a specific technology and then fill that gap (this is how security used to be done). Today, we can’t wait for a new technology solution—most of us already have enough technology to solve the problem. What’s missing? Understanding how that technology can be used with people and process to make sure gaps get filled.
Security Vendors—what about your vendors? The security vendor space has grown quite crowded within the last few years. A lot of folks claiming to solve the same types of problems, many with little to no real world experience and a variety that aren’t quite sure how your business actually works when devising new solutions. For the most part, vendors try to sell their technology to businesses like yours, but what they fail to realize is what you actually need. Many are overconfident that their solution is the end all of solutions, but fail to realize that your workflows or operations might not be able to accommodate what they’re selling (and you might not realize this until after dedicating time and money into trying to fit their square peg into your round hole).
Advice—while much advice is cheap to come by, good advice is another story entirely. Many consultants have some idea or novel approach, but where their advice often breaks down is bridging theory to practice. As I mentioned above, advice is useless until you are able to connect the dots and actually do something beneficial with it. Unfortunately for most security advice, solutions are not practical or easy enough to implement without major dedication and resources.
Reporting—I think you might agree that in the world of security, no news is good news. When I get an update from a credit check or if you get a report from an identity monitoring service, you don’t want to hear that you have multiple credit cards or loans opened or a gal or guy in Florida using your Social Security Number. Same thing goes for your business—you don’t want to hear that someone has breached your network. Given this, it’s easy to understand why it’s difficult for executives to understand what value security teams have in your organization.
Security is growing and changing and may require buy in from your team before it is effective. Your dilemma today is if you do nothing you’re a sitting duck BUT if you change too much, you might not have a compatible system with your core processes and work flows. Security is more than technology and needs strategic thought and conversations to get right. There is no one size fits all solution.
