For most people, the benefits that IT Security brings to a business and its people are intangible. Once upon a time we, as security professionals, were insurance salesman selling an investment in case of an attack. Unfortunately, the days of ‘in case of attack’ have passed. We have transitioned to security guards waiting for the attacks to occur. And yet, while cyber threats have become a certainty, I still think the biggest challenge for IT security professionals is to sell the benefits of IT security. Because let’s face it, security will never make money for your organisation but it is likely to save you money.
In response to the absolute certainty of cyber threats, certain security requirements are now mandated for organisations. The myriad of standards and controls provide the mechanisms for organisations to assess their levels of ‘compliance’ and reduce their risk of cyber intrusion. But is compliance enough?
The risk of compliance
Increasingly, the focus of organisations is to be compliant with the mandated regulations and controls. The risk with focusing on compliance is that technology, people and process become isolated. They are implemented individually to meet a control but do not support each other or the overall intent of the regulations. The IT environment becomes a patchwork of black boxes and isolated processes. On the surface, the security posture seems fine; there are big green ticks for all of the compliance controls. But what happens when you start to dig, as an adversary would?
You start to see cracks! Cracks between the technologies, the people and the processes. Once you scratch the surface, you start to see that risk mitigation strategies are only surface deep and that the ideals of a layered approach to security are not there. These are the cracks that an adversary uses to gain access, move horizontally and escalate privileges within an environment.
So what can we do about it?
Security through commitment
As mentioned before, we need to sell the intangible benefits of IT security to the organisation. Sure, easier said than done! But this is where we begin to ‘value add’ in the organisations’ security maturity journey. It is the organisation and its culture that pull the technology, people and process together to provide a commitment to security. As the environment comes together, the technologies, people and processes can overlap to enable a layered approach to security and provide risk mitigation strategies that have depth and meaning, not just a green tick against a compliance statement.
Don’t get me wrong, a compliant organisation is great but it is only the start of security maturity and is only the start of meeting the intent of security compliance. The goal should be security commitment. Is your organisation committed to security or just compliant?
IT Security Consultant