Non-Security Things That Can Sink A Security Program

A meteor entering Earth’s atmosphere
When Meteors Attack
3 wooden ducks lined up in a row
Are your ducks in a row? Photo by Jen Theodore on Unsplash

And Yet…

Asset Management

You cannot protect what you don’t know about

Technology Stack

  • Old stuff (beyond vendor support)
  • Distributed IT management (many decision makers)
  • Lack of technology standards (aka user choice)
  • Bleeding Edge/Customer Promises(IT and sales leaders doing new things without regard to operational integration)

Identity

Scrabble pieces that make the words “who” , “are”, “you”
Photo by Brett Jordan on Unsplash

If you cannot know that the person is who they say they are, with appropriate access based on what they do, with appropriate training and skill for their level of responsibility (particularly managers), then any control that uses identity (aka all of them) will be weak.

Organizational Governance

  • There needs to be an organizational vision and strategy that everyone understands and follows. If people are going in multiple directions without coordinating leadership, security has to fill in the gaps in technology, people and process.
  • There needs to be integrated risk management, so all the benefits of a strategy are evaluated alongside all the risks (not just security risks) of the same strategy. If leadership is only evaluating the upside of an idea, without understanding the downside, they are operating without full information, and security/legal/others must clean up the mess afterwards, usually without funding.
  • There needs to be accountability from the board on down, and trust from the front lines on up. It needs to be clearly communicated when the business is working well, and when it is not, without blame or retribution. Otherwise, there is lack of transparency and if security doesn’t know about it, they cannot help protect it.
  • Processes need to be effective and constantly optimized. So many security events happen because of poor non-security process. Bad processes anywhere in a business will undermine any security efforts.

So what is a security leader to do?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Helen Patton

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen