Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.
Thirty minutes isn't much time, of course, and I figured that I should be prepared to talk for just 15 minutes, so that I could give the team time to ask questions. I had to make that quarter of an hour really count.
Before me were the CEO, the CIO, the CFO, the CTO and the vice presidents of sales, marketing, support and operations. I told them that I had been working in security long enough to know what sorts of things work. There's the rule of least privilege, which enforces access controls based on granting only those privileges that any individual needs. There's security awareness and the idea that changing employees' behavior is one of the most crucial ingredients of strong security. There's the acknowledgment that we're only as strong as our weakest link. There's the all-important realization that security is a process, not a point solution.
Real-world examples helped get my points across. The weak link, for example: I noted that even a large company like Target, with a multimillion-dollar budget, huge security staff and PCI and other industry certifications, could still be breached because its HVAC vendor allowed a PC to be compromised. Employee behavior: I cited many recent breaches that had been caused by one person doing something he shouldn't have done. Security as a process: I said that we needed technology to help secure the company, but no single device or piece of software can guarantee a secure infrastructure. Security is a product of people, policy, process and technology that, when combined, increase our security posture, and thus decrease risk.
I was only five minutes in and didn't mind too much the two minutes I lost when the CEO told a war story.
Next, I needed to give the executives my assessment of our security stance. The assessment, I explained, was based on things like my observations during the new-hire process, a review of existing documentation, security assessments, interviews, business process reviews, and the monitoring of our network.
I spent some time focusing on what we can learn by monitoring the network. We recently conducted a proof of concept of a Palo Alto Networks firewall, which came with all of the cool bells and whistles that can make transparent how our network is being used from a security and risk perspective. I told the group some of what we've learned: We have traffic going to and coming from more than 60 different countries. We're using more than 30 different cloud file storage solutions. Employees are using peer-to-peer software and remote-control software such as LogmeIn, both of which violate our corporate remote-access policy. They're also using our network to access pornography sites, which is a legal, human resources and security risk. The firewall told us we're under attack and pinpointed the type of attack being used. It singled out several internal resources that were potentially compromised and communicating with malicious Internet command-and-control sites.
Sign up for CIO Asia eNewsletters.