“I have all the resources I need, doing all the right work” — said no security leader, ever.
For most leaders running a security program, there is an ever-present sense that whatever they are doing isn’t enough, there is always more to do, there is some weakness that needs mitigating. It’s not surprising, really.
Start by taking a look at all the security frameworks and guides that suggest (or require) Things To Be Done. Even if you’re in one industry, in one geography, you are subject to a myriad of rules, regulations and guidelines. ISO, NIST, C5, IRAP, ISMAP, etc., etc., etc. Heaven forbid you support a multi-national organization, or a conglomerate of industries.
Then, go take a look at all the guidelines based on technology. Cloud Security Frameworks, OWASP, IoT Security. You could spend your entire security budget on Active Directory alone, and still not address all the vulnerabilities there. Every time your CIO decides to use a New Thing (cough, Artificial Intelligence, cough) it’s back to the drawing board to learn its threat surface, risk profile, attack sequence.
For giggles, go attend a few security conferences. Particularly ones which allow security researchers to demonstrate new findings. There you will find amazingly smart people with new and exciting ways to take down your organization. Ways you hadn’t thought of before, have no solution for, that will require additional staff or services to manage.
And let’s not get started on the explosion of vendors selling point solutions to solve security problems. Take a walk on the vendor floor at any big conference. Sure, you’ll find the big security companies with their security platforms (which each have niche features). You’ll also find the start-ups who, in order to make a dent in the industry, focus on ONE THING, hoping to go public, or get bought by the big companies. You will find a solution for many security issues, but good luck knowing if it’s worth the time and money to put it in place.
Finally, on this tour of pain, go take a look at recent public breach events, and the commentary from the industry and press. There will be some small amount of sympathy for the victim company, but more often there will be…