“Most security products are not included in typical vulnerability scans or patch/configuration management sweeps. This is definitely one reason why tools may not be as up-to-date as needed,” says Shackleford.
Determine whether the technology provider has the competencies as well as character to mitigate and manage the product security and privacy risks.
Malcolm Harkins, CISO, Cylance
“Mature internal audit teams and external compliance auditors will usually check that security tools are properly configured. They don’t do this continually,” says Shackleford. The more frequently checks occur, the more quickly you can catch something that has gone amiss or was never configured in the first place. You still need to have enough security personnel with enough hours to achieve and maintain an acceptable threshold of proper settings or frequent audits will not lead to frequent correction.
Enterprises should consider the costs of the status quo of keeping security tools connected that stagnate and grow increasingly vulnerable. Alternative paths include updating, configuring, and maintaining a backlog of neglected security tools or potentially even disconnecting some that you feel you can sacrifice while saving ongoing license and other costs to boot. Close abandoned or unnecessary remote access to security tools to eliminate those vulnerabilities.
To counter security product backdoors as well as open source code and libraries vulnerable to threats like Heartbleed and Shellshock, enterprises should ask suppliers about their security development lifecycle and privacy-by-design efforts, says Malcolm Harkins, CISO, Cylance.
According to Harkins, enterprises should ask technology providers about
- responsible vulnerability disclosure
- processes for product/service security and privacy incident response
- where development is done to determine if that location presents a high-risk profile to the product integrity (some countries’ laws require product backdoors)
“Determine whether the technology provider has the competencies as well as character to mitigate and manage the product security and privacy risks,” says Harkins.
To close the gap between security professional supply and demand, move beyond the money to find more ways to attract candidates. Ensure a second look from talent looking for flexible work schedules, a greater selection of geographical work locations, career enhancement training, and career planning and road maps, says Frank Dickson, information and network security research director, Frost & Sullivan.
By offering staggered shifts, multiple attractive work locations outside the tri-state area, skillset enhancement opportunities, and a clearly-defined road map for advancement, the enterprise can loop in larger numbers of adept security resources, says Dickson.
“Resolving security product misconfigurations despite short staff comes down to where you want to prioritize your efforts to minimize enterprise risks,” says Witter. By prioritizing the immediacies of detecting and responding to high-risk attacks today above the long-term goals of maintaining security configurations over time, the enterprise will remediate the greatest number of the most costly threats.
Sign up for CIO Asia eNewsletters.