A Little About Security Mindset

June 23, 2020

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Security

Not all that long ago, many organizations, and their leadership for that matter, viewed network security as just a big fat insurance policy. A capital expense with a fuzzy ROI. “We’re pretty secure here,” and besides, “it always happens to the other guy,” right? Then we started seeing the headline grabbing stories. The kinds of breaches that massively affect customers, revenue and severely impact people’s career trajectories.

The Sony breach, Target, Equifax, really seemed to get everyone’s attention. Tens of thousands to millions of pieces of private, sensitive information stolen and out in the wild. And that’s not to mention the ones that don’t necessarily make headlines but can be every bit as devasting to an organization; yes, ransomware. We’re seeing those more and more every day and they can be crippling to a company of any size.

Cyberattacks cost companies and consumers billions of dollars every year, in fact the average cost of a single data breach worldwide is reported at $3.9 Million; in the U.S., $8.2 Million. Those are scary numbers, but if you could find a silver lining in this, it’s that leaders are now giving network security the attention it very much deserves. It’s becoming viewed less of an insurance policy and more like the business continuity necessity that it truly is.

But is a secure environment all about the latest, fastest, most powerful widget, gadget, or dashboard? Is it about standing up your own dedicated security team or security operations center (SOC)?  Is it about being compliant to every conceivable government standard or requirement or even standing up a new set of strict security policies? Maybe, maybe not. I wanted to take an opportunity in this post to just think out loud and maybe offer a different perspective when it comes to addressing your organization’s security posture.

Mindset

What comes to mind when you hear the word security? I’ve found that it means a lot of different things to a lot of different people, and it really depends on where you find yourself within the organization. If you’re on the front lines in IT and dealing with the infrastructure on a day-to-day basis, you’re probably thinking more tactically; what fires do I have to put out today and what hardware solutions do I have in place? Firewalls, intrusion prevention systems, maybe email security solutions. Those are the sorts of things you’re probably thinking about.

Take that up a layer and say you’re a manager for a particular line of business within the company or an operations manager for the organization as a whole. Your mind is wrapped around enabling your particular department or various lines of business, so you may be thinking about things like time to resolution for trouble tickets. How does my team get their work done during this downtime or outage? How is this data breach or data compromise going to affect my team from a day to day perspective?

Lastly, if you’re in a leadership role, you’re typically thinking on a much broader scale and much more strategically. Issues like, how are these security policies going to affect the enterprise as a whole? Do I have the skill sets and talent in place to not only administer and implement our security technologies, but also keep them aligned with our standards and policies? What about business continuity, quality assurance and regulatory considerations; these things weigh heavy on leaders’ minds.

There are a lot of different aspects to take into consideration when it comes to network security and it’s pretty easy to see here that it’s a huge umbrella that can translate to any number of things. It’s a big challenge for those in IT to really get your arms around and ensure that all the pieces and parts are working together cohesively and meeting requirements.

Not about product or policy

I’m going to make a bold statement; security is not about product. We can have the speediest, most powerful firewalls on the planet, IPS systems, internal visibility, analytics — and you will still find yourself vulnerable in one area or another. Security products alone are not the panacea, they will not solve all of your network security problems by themselves.

And let’s be honest, security policies typically only go so far in organizations. From a user’s perspective, security is just a pain. Anything they can do to ease their way of life from a day-to-day perspective they’re going to do. Whether that’s using the same password over and over when they’re forced to change it, or leveraging shadow IT to bring personal devices or applications onto the network, they’re going to do it to make their lives easier and circumvent your painful security policies. And as IT professionals, one of our big challenges is ensuring that our security policies are in place and pervasive throughout the organization.

Tiny Shift

In Cisco’s CISO benchmark study 2020:

This last bubble is what I really want to call to your attention: Automation. That quite possibly is the secret sauce, and something we’ve been helping our customers with for many years. Automation is that tiny shift in mindset we need, that allows us to take a good security approach to an OUTSTANDING Security Posture. It’s the glue that’s going to help us weld our world class security products to our great security policies and ensure these solutions are comprehensive, consistent and pervasive throughout the enterprise. Automation removes the human factor.

The next logical question is, “What are we automating?” So, to begin the journey, we’re talking automation through configuration management and orchestration really. From a configuration management perspective, things like auditing and compliance. Having full visibility into the assets on our networks and ensuring that they comply with our existing security policies and meeting the standards you set in place by eliminating issues like config drift for example.

By orchestration we mean things like patch management, so automating the whole procedure from an OS perspective and then climbing up the stack to the applications themselves. In addition, things like validation, testing and delegation. Implementing self-service type models for organizations with developers that are spinning up virtual environments and virtual servers with applications, and ensuring these environments come on-line with security protections already in place, so really, security on by default.

These are the sorts of forward-thinking things that we’re working with our customers on daily, in helping them to solve their requirements. It’s an overused phrase but security really is a journey, it’s not a destination that we’re ever going to be able to arrive at and relax. The reality is, we’re never going to be totally secure but there are ways to make life easier. And that’s what makes it an exciting time to be in technology!

Let’s continue the conversation. Connect with me on Webex Teams! You can find me at kprater@kovarus.com.


Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.