In the rush to improve our security, we can easily conflate “new” with “better.” This ‘cargo cult’ mentality involves building up security solutions, and expecting good things to happen. Instead, it can lead to wasted effort, ineffective budget spending and missed opportunities around existing security priorities.
So how can we make the most of our basic security processes, and where can we concentrate our efforts to ensure our budgets go further?
Looking at attack surfaces
One area that is the easiest to overlook is security hygiene. This covers tasks like vulnerability scanning, configuration compliance and patching programs. By paying attention to security hygiene and Attack Surface Management, it is possible to remove many of the biggest risks that could affect your enterprise and the dividends are huge across the organisation.
While starting an effective Attack Surface Management program is typically not all that complex, keeping it running over time is a challenge. For example, an asset inventory should be the base for all decisions made around security priorities. However, while asset management has existed for years, getting this inventory process right is still difficult for many enterprises.
Without having asset data readily available, it's easy for incidents to quickly spiral into serious problems, as the real scope is not easily addressed. A lack of accurate and complete asset management data essentially creates blind spots that aren't seen until an issue has already manifested.
So why is this so difficult to get right? A lack of interest and internal politics can make security hygiene a struggle to get right. Internally, emphasis is often on the new, and as a result many teams can find themselves chasing that new and shiny thing to the detriment of what currently exists. There is always the next big thing in security and it's easy to get distracted by what is at the ‘cutting edge.’
Conversely, keeping the lights on is not valued as highly. This can be because running these kinds of programs is hard and often thankless, or gets pushed into the category of being “too hard” and therefore ignored.
For security teams, being the ones to implement new technologies is often seen as a reward for effective work. These projects can be great on CVs and for personal development. However, the cost for these new standalone solutions is usually very high and the return isn't nearly as effective as improving existing Attack Surface Management programs. We have to reset our internal team values so that efficient maintenance and hygiene is valued as highly as new deployments, so that both areas receive the attention and support they deserve.
Investing in existing and mature Attack Surface Management programs can deliver substantial dividends in driving down risk. More importantly, this can link into other IT team initiatives such as software development, so that these good habits are applied earlier in other company processes too. This can stop problems getting into production, where they are more expensive to fix. For those worried about not having new implementation projects on their CVs, the lure of working on agile development and DevOps projects should be an attractive substitute too.
Improving security training effectiveness
The second area where enterprises can improve their return on investment is around training. For many companies, the budget for developing their own security staff and security awareness training for the rest of the organisation is the same pot of money.
Unfortunately, this can often be one of the first budget items to be cut. These programs can be seen as low value and low return, when actually they can deliver some of the highest value to the organisation. However, these projects often need more thought around psychology in order to deliver good results.
Combining both areas together into a security champions program is an effective way to improve both security team skills and company awareness. For some IT security leaders, these kinds of programs are seen as software developer issues that are out of scope. However, with most enterprises running large developer teams and DevOps projects, it's critical that we bridge the gap and drive security as early in the cycle as we can.
Under-allocation of training and awareness can leave your organisation unprepared to react and respond to events that could be potentially avoided or mitigated much earlier. By embedding security into development, and by providing support for secure coding as standard, you can reduce rework cost, while also removing security as a barrier to innovation and fast releases. Finding and developing champions within other teams not only helps security be more effective, it helps collaboration over time too.
Taking a proactive approach to security’s image
As CISOs, we are all aware that security can be perceived as the department that stops others working as quickly and efficiently as they can. In reality, security can stop those teams from running headlong into unnecessary risks. However, getting involved earlier around good hygiene and security awareness can provide the best approach to improving the image of security internally.
The issues that seem to still linger and provide the largest problem areas are often not all that complex to address, yet it seems as though we lose interest in them when they aren't new or can’t be resolved quickly. It's a problem of focus and just doing the work, setting expectations appropriately, and constantly driving towards achieving a higher maturity state for the programs that we need to invest in.
Author: Ben Carr, Chief Information Security Officer, Qualys