A Sense of Security: Security’s New Focus: Defensibility

Published On July 08, 2019

So, you’ve obtained the buy-in, spent the money, and have gone through the motions of creating your information security program. You’ve done what you believe to be right in terms of design, implementation and ongoing oversight, all in the interest of minimizing business risks. Frameworks have been followed. Best practices have been established. Policies are in place. The necessary technologies are running and, presumably, keeping things in check. Auditors and consultants say that things look solid. It’s all humming along under the assumption that the necessary steps have been taken to lock down your network and information assets.

But then it happens – that dreaded security incident or confirmed breach. Investigations ensue and, as it turns out, things weren’t quite as secure as you had assumed. How can this be?

Checked Boxes Won’t Cut It

We as humans tend to go through the motions, assuming that all is well when it’s actually not. We do it with our health. We do it with our finances. And, in the context of business, we do it with IT and security. The proverbial boxes have been checked but things aren’t running quite as well as assumed. IT and security professionals believe that they have done their part. They have the visibility and necessary controls to detect and respond to security issues. Executive management is on board because they have okayed the budget and are seeing security-related actions in and around IT. Even users are part of the team. After all, why would they otherwise have to endure all that security awareness and training? Unfortunately, our love for checking things off our to-do lists is often at the heart of security incidents and breaches. By following so-called security best practices, there’s an assumption that the right work is being done, therefore, security is where it needs to be. Unfortunately, it’s often not.

Who’s Minding the Store?

In my work performing independent vulnerability and penetration tests, security program reviews and virtual CISO work, I see a lot of security action that looks great on the surface. However, digging in reveals that much this action merely serves to create a false sense of security. IT and security teams are often undertrained and overworked – not a good combination when you’re responsible for managing information risks! Security products and services are underimplemented. Users are unaware. Dare I say that executives are oblivious.

Don’t get me wrong, I’m not suggesting that all aspects of all security programs I see are negative. There’s a lot of good taking place. The real challenge is the disconnect between what’s there, what is (or is not) being done with it, and how it’s all being measured. All of this is creating an atmosphere of what I refer to as a lack of defensibility. In other words, it looks good on paper but quite likely won’t be defensible when something goes awry. I’ve done a good bit of expert witness work related to data breaches and compliance and have seen what takes place during and after security incidents and breaches. Once lawyers get involved and investigations take place, it often comes down to whether it can be shown that the breached organization was taking a solid (defensible) approach to security. This is exactly where many security programs fall short. Again, it gets back to the “get it done now so we can check that box” mentality without fully fleshing out the program. Security is in place, at least in spirit, but the risks still exist.

Getting a Fresh Start

Starting today, and periodically and consistently moving forward, make sure that you’re not just going through the motions with your security efforts. Instead, you must ensure that they’re creating tangible results and value for the business. A great way to see the forest through the trees and find the 20 percent of your security issues that are creating 80 percent of your challenges is to bring in a fresh set of eyes – an outside party – that can have an unbiased view of how security is working in your business. If you prefer to keep these efforts in-house, make sure that your security team is at an arms-length distance from the IT function and the fox is not guarding the hen house. Regardless of your approach to security assessments, develop metrics for the various areas of security – technical controls, security operations, user education, and so on – so that you can measure and improve over time. Such metrics would be very specific and measure tangible aspects of your security program involving technical controls, security operations, vulnerability and penetration testing, user education, and so on. Certain metrics such as phishing results can be measured in near real-time. Others such as known vulnerabilities might be periodic (monthly or quarterly) while others such as remediation windows for confirmed incidents will (hopefully) encompass a larger time span. The important thing is that you’re measuring and managing periodically and consistently over time.

You’re not going to prevent all security incidents. And, odds are, you’ll be faced with a data breach situation at some point. The important thing is that you’re taking a defensible approach to security. Don’t just spend the money and go through the motions to make it look like you have a good security program. Follow the sage advice of trusting but verifying. Have the discipline to evaluate/assess things to look for opportunities for improvement. This approach will not only help you meet your longer-term security goals but also leverage security for competitive advantage and ensure the long-term viability of the business as a whole.