“All the security in world is worthless unless it is deployed within actionable context.”
Years ago I found that one organization, which is very well known globally, had a multitude of experts. The problem was each individual had a very narrow focus upon for their assigned task within a large organization. To slighly exaggerate it was as if one person’s job was to make sure anti-virus was running in memory; another to make sure it was updating; another to make sure it was scanning the computer at designated intervals – and NONE of them talked with one another or coordinated on any actionable level. Security products and services are much like this organization if not deployed properly within an organization.
A long time ago, in a galaxy far far away (okay what movie am I going to see this Christmas?)…we started recommended firewalls and anti-virus as a best practice. These solutions, and others with increased capabilities and maturity for the larger governance challenge of an organization, have since emerged. But ask yourself this question, are they effective? Do you spend a lot of money, thousands upon thousands, only to ask for more the next budget cycle with the same problems and threats if not more? This doesn’t work for a manager looking for ROI to sign off on the checks. It also doesn’t work in the face of a rapid and mature adversary in 2015.
Security in 2015 must be integrated into an actionable strategy for the enterprise. These are sexy buzz words for folks trying to sell something in a box, but it’s really hard to do in the real world of security – especially for a large complex organization. As an organization matures it moves from operational IT and best practices to security; from security to optomized security; from optomized security to cutting edge cyber threat intelligence and customized innovative solutions.
Where are you in your path to celebrating a mature and optomized security strategy as governed within your organization? The honest answer is kinda sorta for most organization, and lower on the totem pole than they’d like for progress due to challenges like lack of resources, budget, and skilled staff. Due diligence in your governance, over a long period of time, really does help you to get ahead. It starts by adopting an attitude of context, where people talk at all levels of the organization. Most importantly, make sure that whatever product or tool you’re using, or action to support a policy or plan, is always contextualized within your risk management strategy.
As an example of context to round out this thought:
If you have malware discovered on your network you’re not alone – it happens every day on networks all around the world. However, what if it’s malware that is commonly associated with nation-state malware and targeted espionage attacks? I would hope that changes things for you and your response to the threat as it is very different from an adware component in a browser (speaking of risk/threat). Making sure the proper context and priorities are established in every incident is key (don’t just patch and move on). Make sure people are talking and trained so that collaboration takes place where ownership is seen not just talked about (for the greater problem not just your role).
Remember, context is king and it’s your job to make sure you’re always establishing it with every action within your organization – tied back to your security strategy.