It may be the first day of spring here…but it certainly does not look or feel like it with a fresh dusting of snow and temperatures that continue to make me long for sipping cold drinks on a warm beach. The reality is…spring will come and with that another round of interesting security breaches being reported around the world. With the General Services Administration in the US, Evernote, LinkedIn and Oracle seems to be doing a weekly critical Security Patch on its Java Product.
With breach after breach and patch after patch, what is an IT Professional supposed to do to ensure that the data that is in his charge does not fall victim to the same fate that the daily flood of Data Breaches takes on. Well there is the option of pitching Cyber Insurance as a way to protect not the data but the company’s reputation and offset the inevitable fines and law suits that come from a breach…I had actually never heard of Cyber Insurance before but Cyber Data Risk Mangers are there to help…I think…maybe??
In stead of insuring for the inevitability that you will have a breach…lets take a step back and look to see if you have done EVERYTHING that is reasonable to protect that data. The reality is, with just 24 hours in a day and on average 3000 minutes of working time available each week…there needs to be some priority setting…not just from a time perspective but also from a cost perspective.
Have you done an actual Risk Assessment? Do you know where your potential vulnerabilities lie? What about Network Assessments and External Vulnerability Scans? Throwing more security at a problem that you don’t know where the problem is…is not a viable solution and will only lead to a mentality of pay twice for one solution.
Interesting that in several sources the number of dedicated InfoSec Professionals is a hotly contested issue ranging from 1 InfoSec employee to 1000 total employees to 3-5% of Total IT Staff but what happens when your company is less than 500 and 5% of your IT Staff of 2 would mean either giving up literally your right or left leg for the cause.
I work in an industry that takes great pride in offering vendor agnostic advice both through the content and advice that the Analysts provide and I learn as much about the world of Technology as I do about the environment that my customers navigate in from being on those calls with them…but the reality is, as the size of IT shrinks…the time, money and expertise to protect from a potential catastrophic breach or security failure becomes more and more possible.
If staffing is a problem, breaches are a problem, time is a problem what about the gobs of technology options out there…can you just not buy your way out of the mess…adding layer after layer of technology that will protect the company’s data, make you look like a hero and ensure that every hole is plugged?
You can spend unlimited capital on security, the same as you can spend unlimited capital on a DR Plan that will provide the company with 99.999 up time but in reality…does any company really need to achieve a statistic like 5 minutes and 32 seconds of down time per year (including scheduled down time)…I don’t think so and your CFO will thank you for being pragmatic. Assess what your Risk Profile is for different components of the business and start to build upon a framework that establishes best practices for general and specific risk mitigation. Once you have identified the true risk, then the security investments can be applied to facilitate an adequate response to the findings.
Is this approach fool proof? No, but I work with 100’s of customers and this is the way that the best of them have applied their finite security dollars and have achieved marketable success…which is good for me and good for them.
Chris J Powell