For something that was unheard of when Internet started (though viruses were there all along) to now having completely separate departments from IT with a C-level suite leader, this is quite a transformation in 25 years. There is a myriad of tools / techniques/ methodologies/ standards coupled with a larger myriad of vendors accomplishing from mundane email filtering to AI fueled traffic analysis, all can be both confusing and tiresome.
To try to make sense here are some key learnings
- It’s all about people and hygiene. Bet that is not what is the first come to mind! However people are the weakest link in security, and lack of hygiene (good practices) is what drives them to do unsafe things. No matter how many tools you have in place, if your users have a habit of going to unsafe web sites, click on links , open attachments, you will be in trouble.
- Certifications do not mean good security . This is true everywhere but more so on security. You can have terrible security practices and yet be certified that you follow those practices religiously. If you ever have a choice to make security better or get a certification – start with fixing security.
- You don’t need that many tools. We are far from having a single solution that fits all the needs, but this does not mean that all single possible scenarios need to be covered. Think of security like an onion. Not every leaf covers the entire core, but the sum of leaves covers the core. That’s probably the best thing to think of when designing your security architecture.
- You cannot solve all security problems. Someone will at least once outsmart you, and you better have in place the people, process and tools to identify the problem, limit the damage, restore the systems … and take revenge if you can.
- Security should not be an ivory tower. The more isolated security team is from an organization the less likely policies are followed and also the less likely the security team knows what is going on. Security team needs to work with the teams to understand the business need and HELP achieve the goal while also keeping security.
And that is it. Behind all these statements there is however a lot of hard work, but keeping these simple ideas in mind can get you to a safer place.