Know what you have
Sometimes the least sexy stuff helps you win. In computer security, this means establishing an accurate inventory of your organization's systems, software, data, and devices. Most companies have little clue as to what is really running in their environments. How can you even begin to secure what you don't know?
Ask yourself how well your team understands all the programs and processes that are running when company PCs first start up. In a world where every additional program presents another attack surface for hackers, is all that stuff needed? How many copies of which programs do you have in your environment and what versions are they? How many mission-critical programs form the backbone of your company, and what dependencies do they have?
The best companies have strict control over what runs where. You cannot begin that process without an extensive, accurate map of your current IT inventory.
Remove, then secure
An unneeded program is an unneeded risk. The most secure companies pore over their IT inventory, removing what they don't need, then reduce the risk of what's left.
I recently consulted for a company that had more than 80,000 unpatched Java installations, spread over five versions. The staff never knew it had so much Java. Domain controllers, servers, workstations -- it was everywhere. As far as anyone knew, exactly one mission-critical program required Java, and that ran on only a few dozen application servers.
They queried personnel and immediately reduced their Java footprint to a few hundred computers and three versions, fully patching them across most machines. The few dozen that could not be patched became the real work. They contacted vendors to find out why Java versions could not be updated, changed vendors in a few cases, and implemented offsetting risk mitigations where unpatched Java had to remain.
Imagine the difference in risk profile and overall work effort.
This applies not only to every bit of software and hardware, but to data as well. Eliminate unneeded data first, then secure the rest. Intentional deletion is the strongest data security strategy. Make every new data collector define how long their data needs to be kept. Put an expiration date on it. When the time comes, check with the owner to see whether it can be deleted. Then secure the rest.
Run the latest versions
The best security shops stay up on the latest versions of hardware and software. Yes, every big corporation has old hardware and software hanging around, but most of their inventory is composed of the latest versions or the latest previous version (called N-1 in the industry).
Sign up for CIO Asia eNewsletters.