Page 8 - Cyber Warnings
P. 8
FROM VULNERABLE TO VIGILANT
AN OVERNIGHT TRANSFORMATION FOR AN INSECURE ORGANIZATION
What is successful security?
Recently I’ve been pondering the question of how an organization determines whether they
have a “successful security strategy”. Product vendors and compliance initiatives repeatedly ask
“Are you secure?” as if it were a binary state, touting tools and checklists that will make it so.
But if the largest corporations with the highest security budgets in the world cannot stop the
onslaught of breaches, and if even the CIA and NSA can’t stop the steady drip of classified
information, then what does it actually mean to be secure, and who actually qualifies?
Security isn’t a binary state. Even if security nirvana could be achieved, it would be short-lived;
the next new vulnerability discovered would render that security posture insecure. For every
new lock created, a way to pick it will be discovered. Being impenetrable isn’t the goal. More
secure is the goal; and that pursuit is worthwhile at any stage of the security journey, even if
your organization is just getting started.
Establish a winning Philosophy
When interviewed after a notable victory, athletes will often speak of “having been put in a
position to win”, meaning they were provided a situation in which execution would result in a
win. In the case of security, a winning philosophy that puts your organization in a position to win
looks as follows:
• Acknowledge the threat. Security threats against your organization are real, and a
breach can have significant material consequences. It can cost an organization its
capital, hard-built brand, and even its entire existence. It can cost its officers and
employees their jobs, reputations, and potentially careers. Depending on the
circumstances, it can have legal ramifications. Take the threat seriously, and that will
inform the attitude toward every security decision to be made.
• Security is a way of life, not an event. Security culture is defined by the routine of
everyday operations, not by a quarterly vulnerability scan, occasional penetration test,
or annual PCI audit. How an organization behaves all day, every day, across every
department defines its security posture.
• Make a complete commitment from the top down. Once efforts commence to secure
an organization, the choice between doing things securely versus insecurely will
repeatedly arise. Without buy-in from the top management and a complete commitment
to a secure approach, a shortcut will nearly always be taken, usually with the
justification that “it was an emergency”. Everything subsequently becomes labeled an
8 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide