If you’re serious about security, stop thinking like a manager.
Here’s the thing about malware and cyber criminals who propagate it: they don’t play by the rules. Or any rules at all, which presents a particular challenge for people like you and me―the security experts who need to stop them. That’s because many of the methodologies we might use to protect our data and the infrastructures are designed to blindly follow a defined process.
They’re defined by what I call “The Compliance Audit Mentality”―thinking like a manager and going through the motions like a sleepwalker. Successfully completing a compliance audit with a pre-defined selection of security criteria doesn’t always reduce risk. It’s more like just ticking off the boxes and then moving on.
The problem is, cyber criminals know very well what those boxes are too.
It’s easy for them to work out where “compliant” systems will still be vulnerable―and therefore, launch attacks with a high likelihood of success.
It’s a crazy situation which means that organisations may still be susceptible to a security breach after they’ve gone through a successful audit. That’s why I urge CIOs and CISOs to put the “Compliance Audit Mentality” to one side, and radically change your mind set.
We need to break our own rules.
If you’re serious about security, stop thinking like a manager.
Start acting like a leader. Leaders don’t tick boxes; they think outside of them. They share a vision. They inspire confidence and belief in their teams. Today’s visionary security leaders know that compliance audit is only one part of the picture, and that without further security measures, the likelihood is that at some point their networks will be breached.
According to the 2016 Symantec Internet Security Threat Report, Vol 21 (ISTR), in 2015 the number of zero-day vulnerabilities discovered increased by 125% compared to the year before. Sophisticated malware and targeted attacks from outside sources or even employees are also constantly increasing in size and scale. Proliferation on this scale is almost impossible to defend against at the perimeter by treating your security like another exercise.
Instead, the visionary CIO leads their organisation through sound, constant risk management and data security controls.
Here are four recommendations on how to respond:
- Look at threats in a new way. We can’t block everything, so use advanced threat and adversary intelligence solutions to help you find indicators of compromise and respond faster to incidents.
- Ensure your security is solid. Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.
- Be ready for incidents. Incident management ensures your security framework is optimized, measureable, and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
- Ensure security is part of your culture. Provide ongoing education and training to help your staff do the right thing; don’t just follow your policies. Regularly assess internal investigation teams—and run practice drills—to ensure you have the skills necessary to effectively combat cyber threats.
If you’re ready to lead your own organisation in that direction, then I urge you to take a look at the ISTR Vol 21 report. It includes some great statistics around the prevalence of ransomware and growth in different types of attack.