As I get to know my new Pivot Point Security customers – while also reflecting back on my past Information Security employers, consulting engagements, and the information security strategies I’ve implemented – there’s a common theme that often pops up. It’s: “Oh, you’re a CISA and a CISSP so you’ll know everything we need—now tell us what’s wrong and then fix it and we’re good-to-go.”
When I then ask: “So, what are your concerns and your goals, and what would you like me to do for you?” the conversation stalls, because the person across the table is looking for a magic bullet, not a dialogue. They’re thinking an InfoSec strategy is something an expert creates and walks away from, not an open-ended relationship with risks, business needs and other bigger-picture factors.
For example, one of my past employers had a goal to eliminate all their audit issues. I was a CISA (Certified Information Systems Auditor), so surely I was the professional they needed. And it was my job to make these information security issues go away.
Well, I made their issues go away. Then I wanted to proceed and build a program so they’d never come back. But they basically said: “No, we’re good.” All they wanted was to play catch-up with their current security risks. They didn’t want to make changes that could help prepare them for the next InfoSec vulnerability or the next intrusion.
Future-Focused Information Security Strategies
You can always clean up the past (if you have the money). A better plan is to prepare for the future, because it’s coming whether you like it or not. That’s why it’s important to take a longer-term approach.
Your goal should be to cover the basics now as you develop a more mature organizational security mindset. You’ll also want to begin creating “living,” dynamic InfoSec policies and procedures so you can stay prepared and adapt to a changing landscape of threats, compliance issues, customer demands, etc. Just plugging the gaping holes and putting in place what you needed yesterday is not a viable security posture. It’s more like a false sense of security.
Another reason that InfoSec can never be one-and-done is that your own business/IT environment is always evolving and you need to stay on top of that from an information security perspective. Otherwise you’ll always be vulnerable to getting nailed because you missed something simple.
Have you recently introduced new, IP-connected security cameras, light fixtures or any other “smart” devices onto your network? These can introduce major network vulnerabilities. Are you up-to-date on operating system and other critical patches? What about company data on employee mobile devices?
There’s no quick fix to any of these InfoSec challenges. Hiring an expert can help you gain perspective and hopefully establish priorities, but it will never solve all your problems. That attack you won’t see coming is without a doubt coming: the question is, how prepared will you be when it hits?
The answer lies in your security policies and procedures and how well you’re living up to them.
Prepare Your InfoSec Strategy Today
InfoSec isn’t a destination. It’s a mindset and a strategy that you have to live today and tomorrow and the next day. As you go you learn from what happened yesterday so you’re better prepared tomorrow. Tools and expertise can help, but they can’t save the day.
If you’re just starting to think about InfoSec, you probably know you need some help. But you might not know exactly what kind of help you really need.
Contact Pivot Point Security to start a conversation on what a holistic, sustainable security posture could look like for your organization.
For more information on long-term information security strategies:
- Security is a Journey in securityweek.com
- Cyber Security is a Journey, Not a Destination (a Bloomberg TV video)
- The Information Security Process, a SANS paper