When you get paid to assess computer security practices, you get a lot of visibility into what does and doesn't work across the corporate spectrum. I've been fortunate enough to do exactly that as a security consultant for more than 20 years, analyzing anywhere between 20 to 50 companies of varying sizes each year. If there's a single conclusion I can draw from that experience, it's that successful security strategies are not about tools -- it's about teams.
With very good people in the right places, supportive management, and well-executed protective processes, you have the makings of a very secure company, regardless of the tools you use. Companies that have an understanding of the importance and value of computer security as a crucial part of the business, not merely as a necessary evil, are those least likely to suffer catastrophic breaches. Every company thinks they have this culture; few do.
The following is a collection of common practices and strategies of the most highly secure companies I have had the opportunity to work with over the years. Consider it the secret sauce of keeping your company's crown jewels secure.
Focus on the right threats
The average company is facing a truly unprecedented, historic challenge against a myriad of threats. We are threatened by malware, human adversaries, corporate hackers, hacktivists, governments (foreign and domestic), even trusted insiders. We can be hacked over copper wire, using energy waves, radio waves, even light.
Because of this, there are literally thousands of things we are told we need to do well to be "truly secure." We are asked to install hundreds of patches each year to operating systems, applications, hardware, firmware, computers, tablets, mobile devices, and phones -- yet we can still be hacked and have our most valuable data locked up and held for ransom.
Great companies realize that most security threats are noise that doesn't matter. They understand that at any given time a few basic threats make up most of their risk, so they focus on those threats. Take the time to identify your company's top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list. It's that simple.
Most companies don't do this. Instead, they juggle dozens to hundreds of security projects continuously, with most languishing unfinished or fulfilled only against the most minor of threats.
Think about it. Have you ever been hacked using a vector that involved SNMP or an unpatched server management interface card? Have you even read of such an attack in the real world? Then why are you asking me to include them as top priorities in my audit reports (as I was by a customer)? Meanwhile, your environment is compromised on a near daily basis via other, much more common exploits.
Sign up for CIO Asia eNewsletters.