The Information Security and cybersecurity conferences are flooded with relatively ‘new’ developments such as Next-gen, IoT (Internet of Things), IoT DDoS, Security Intelligence Platform, etc. Today, some of these terms have become ‘hype.’ This is not a problem, but it makes one wonder whether the security world may be looking at things in the wrong way and thereby missing the demands that need to be addressed.
ESET, Europe-based IT security provider shares five basic cyber security lessons from its experts. Dave Maasland, CEO, ESET, Netherlands in association with Fred Streefland, IT Security Manager, LeaseWeb, explore a new way of looking at cybersecurity, something that is directly connected to business needs.
Lesson 1: Start with the business (and its risks)
Security is nothing more than reducing or taking away risks, and making them visible so that the business can accept them and continue doing its work. It can be exceptionally complex but its essence is simple. People have to understand the business to face the challenges of security effectively and efficiently. They should not see it solely from an IT perspective but from the broader perspective of the business. When starting from the business, Firstly, they have to identify, map, and categorize the risks of the specific business. Secondly, they need to determine which risks need to be dealt with and in which order together with the business itself. Afterwards, the person responsible for the security within the company has to set up a security plan that describes how these changes are to be executed and there has to be clear goals and deadlines in doing so. Ideally, this should be done in a ‘smart’ way, such as one step at a time, so as not to engage in too many projects at once.
Lesson 2: Determine a security roadmap with a clear goal, step by step
Defining the security approach (or security roadmap) is essential and it should be discussed with the business on an ongoing basis to make necessary adjustments. This will reduce the risk and contribute to the achievement of the goal. The people responsible for security shouldn’t ‘restrict or obstruct’ business with security measures. The creation of plan should be something that is understandable to everyone, even one without IT skills. Of course IT plays a role, but only at the last moment when IT solutions are needed for the execution of the security projects.
Lesson 3: Cover the basics before implementing more advanced security solutions
Most organizations don’t even have basic security measures in place, let alone advanced security solutions. The presentations of security companies on these technologies often looks stunning and offer interesting content, but they are simply too advanced for most companies. Furthermore, experience shows that the most hacks (about 90%) still use the simplest methods and weaknesses for attack such as phishing emails, malware attachments, etc. Of course, there is the weakest link of all, human being.
That’s why, the companies need to create basic security solutions before they turn their attention to more advanced technologies. Although, these are important but these should be implemented in the future, only after the basics are fortified. During security congresses, the companies focus on sophisticated threats and APTs (advance’s persistent threats), but the companies such as TalkTalk and Ashley Madison might have been protected from attack if even basic security was in place.
Lesson 4: Build the right partnerships; Cooperation between IT Security professionals is essential
New developments are arising quickly. Malicious groups and individuals are using more varied, and advanced attacks and tactics. Eventually, more advanced security solutions will become inseparable from our organizations’ broader security roadmaps. However, the foundation has to be in place before the ‘house’ can be built. And to build this house, cooperation is needed between the architect, the realtor, the mason, the plasterer and of course the homeowner.
This sense of building something together, step by step, is exactly what needs to happen in the security world. There is a need to cooperate intensively because, much like building a house, there is no single owner or architect who is also the best in masonry, painting, or construction. No single security company has the best solution for each and every security risk, so working together is a must. Those who would cause the company harm are already doing this, so it’s time security professionals do the same. First, start with the owner (the business) and the foundation (the roadmap), and then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
Lesson 5: Get everyone involved, it’s the only road to success
To make progress between security and the business, there has to be understanding and support from the business – and vice versa. The one(s) responsible for security has to be able to provide short and clear explanations in order to to get all of the different stakeholders in the company to participate. If he or she can’t, then the business (and the board) will never understand, and there won’t be the necessary buy-in and support to implement your plans (no matter how good they may be). As Einstein once said, ‘if you can’t explain it simply, you don’t understand it well enough!’