I must admit, in my initial conversations with Jerry about the business of True (at the time DESA) and coming on board to manage the business, I had visions of cutting-edge technology, foreign hackers, and top secret 3-letter government agencies. So at the risk of telling you that Santa is not a real man who travels the world delivering toys in one night to every worthy child, and is really only the spirit of giving and child-like innocence, it turns out?.hold your breath?..security really isn't that sexy. While ?cool' security technology exists and sometimes even works, e.g. retina scanners and biometric locks on the data center, it will always be negated by a drop-ceiling; foreign hackers are plentiful, but you're probably more likely to get rear-ended on the way to lunch this afternoon than to get hacked this year; and 3-letter agencies ?the NSA, FBI, etc., while real and cool, face the same issues we all face. Those agencies have deeper pockets than you or I can imagine but are also forced through an endless ocean of red-tape and bureaucracy to do anything about it.
Folks ? I've learned a couple important lessons over the past two years:
- Security is NOT "?in the blinky thing", as one very large security hardware vendor would like you to believe.
- For 90% of you reading this, there is ZERO ROI in securing your information, data, people or infrastructure, so don't bother trying to calculate it. Security is a cost center just like accounting, payroll, HR, and yes?executive management! Of course there are exceptions, with the big one being when one of your prospective customers tells you that you can't win the business unless you're X-certified (X = PCI, HIPAA, NERC, etc).
- Lastly, and most importantly ? it turns out that at the end of the day, real security comes down to common sense and managing human nature.
OK ? so while I've obviously been having some fun with this, I want to be clear that security is serious. Threats are very real, and many of us are faced with tangible business drivers that preclude us from ignoring the responsibility of securing our people, infrastructure, data, and information. As a professional information security services provider, the problem that we most consistently experience is that too many organizations go about the business of security in an inefficient and costly manner. The most common examples we experience include relying solely upon internal IT resources to address critical security requirements; way over-buying hardware and software without fully understanding the impact or daily operational burden; Ostrich, head-in-the-sand approach to dealing with employee behavior; and neglecting to match risk tolerance to operational objectives in the most efficient manner.
So I'll wrap up with the following that will ultimately save you a ton of money, and help you operate more efficiently given your specific risk tolerance and business objectives:
- Implement and enforce comprehensive security policies and procedures and clearly document information flow throughout the organization.
The fact is?..you are far more likely to experience a security breach from an internal source. Furthermore, that breach is likely to be completely unintentional?possibly stupid and completely irresponsible, but unintentional nonetheless.
- Seek the guidance of a certified, experienced information security firm or professional for the areas of compliance, vulnerability and exploitation management, intrusion detection and prevention, and software development lifecycle services.
You probably wouldn't be wise to ask your family practice physician to remove a clot from an artery, or treat an aggressive form of cancer. So it is with information security!
- Provide basic security awareness training to your staff on a regular basis
- Once you find a group or individual you trust, act as if they are an extension of your operational and management staff.