First and foremost, I am not a big fan of “compliance.” I say that with some reluctance because there are certainly some positive aspects of the notion. The PCI/DSS standard provides an effective and comprehensive framework that organizations can use to help shape network security strategy. Unfortunately, there is an overwhelmingly negative aspect of compliance that may actually drive organizations to a type of mediocrity which inevitably results in a higher level of risk. This may seem a little counter-intuitive, but stay with me while I offer a brief analogy that may clarify my point.
When I was in the Navy, all military personnel were required to participate in a semi-annual fitness test. The standards associated with the test were broad in that it wasn’t very challenging to meet the minimum standard, but it was exceptionally difficult to score the maximum on the test. Not surprisingly, those Sailors who worked to achieve the best score were much more physically fit than those Sailors who strove for the minimum score. Those who were content with doing just enough to get by weren’t necessarily bad Sailors. But those Sailors who strove to maximize their performance on the test were usually above average performers overall. The parallel here is that organizations must move beyond merely compliance to ensure they are cyber secure.
But moving beyond compliance to achieve true security excellence can be intimidating and overwhelming. That being said, I have found that if a complex process can be distilled down to a few basic components, it becomes considerably less onerous. To move beyond compliance and move towards being truly secure, I would focus on improving the following areas:
Think of these as the points of the Network Security Trident:
I view technology in two contexts; prevention and detection. Those organizations that rely on prevention alone (which would meet most compliance requirements) are bound to suffer the same fate as Target, Home Depot, and the long list of other companies that fail to adhere to Cyber Security Rule #1: You will be hacked.
Accepting this idea should drive companies to find and deploy hack detection capabilities. This is particularly true for Retailers as Black Friday, Cyber Monday, Chanukah, and Christmas shopping are right around the corner. The idea is to minimize the time between compromise and detection which will in turn mitigate the amount of time a hacker has to find and steal customer data.
Most businesses solve the human part of the resource problem by leveraging IT Staff to perform security functions. This approach is problematic for two reasons.
First, Information Technology is NOT Security. The skill set of a true Cyber Security Expert is complimentary, but fundamentally different from the skill set of an IT Professional. The best Cyber Security Experts have experience in defeating network security measures – they know how to hack, which makes them exceptionally well qualified to find hackers on a network.
Secondly, the primary function of IT Staff is network operations. Adding security responsibilities to the workload of an IT Professional will inevitably result in reduced efficiency in both network operations and/or network security.
But the truth is that finding the Cyber Security Experts that I just mentioned is extremely difficult, and paying for them is even more challenging. The good news is that some security companies can provide businesses with viable Cyber Expert outsourcing solutions. I caution companies that choose to rely on technology solutions alone to address detection. While it’s true that machine intelligence is effective at catching the majority of threats, there are a small percentage of sophisticated attackers that avoid detection by purely technological solutions and can only be detected by humans with the right skills. Remember, it only takes one successful hacker to cause a world of trouble for a company.
User behavior is the last, and arguably the most critical leg of the Network Security Trident. One user mistake, or one user who fails to follow established policy, can cause that world of trouble that I just talked about. It doesn’t matter if a company has deployed the most advanced technology operated by the most highly skilled cyber security experts; one user action can have a catastrophic impact on a business. So every organization that wants to be serious about security needs to follow two simple rules:
- Train your people
- Enforce policy
There’s a saying in the Navy of “everyone is a Safety Officer” which I extend to the private sector as “Everyone is a Cyber Security Officer.” That means that every employee should have some basic understanding of information security principles and best practices. For the administrative assistant being a Cyber Security Officer might mean understanding what a secure password looks like. For a network Administrator being a Cyber Security Officer might mean understanding that surfing the internet while logged on as an Administrator is dangerous; a compromise could result in root level access to the network for a hacker. Every member of an organization plays a role in securing the retailer’s network and protecting sensitive information.
People make mistakes, so we should expect that a user will from time to time expose the company to additional risk of being hacked. But failure to follow policy is a different story. Policy missteps are often associated with members of an organization not paying attention to detail, and in more egregious cases policy infractions result from users deliberately ignoring policy. So like the Cyber Security Officer, everyone in an organization has a role to play when it comes to following and enforcing policy. But it starts at the top. CEO’s and Management Teams must ensure that policy is reasonable and that it aligns with business functions and objectives, and they must demand policy compliance from their people. Leaders must hold employees accountable in cases where policy is deliberately ignored.
In closing, The Network Security Trident (Technology, Experts and Behavior) provides a helpful framework which can help companies drive their organizations to achieve network security excellence, moving beyond mere compliance.
Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyber readiness assessments across the Navy cyber infrastructure.