I recently helped a client dealing with a security breach. They had implemented a new tool, but never swapped the keys from the trial version to the full version. You know the next part — the new tool didn’t catch the ransomware.
Like most organizational security leaders, I’m always on the lookout for innovative technology solutions. I’ve heard every type of pitch from every type of vendor, and there is one glaring red flag that pops up all too often:
“Then you just set it and forget it!”
That, friends, is not a selling point; it’s a recipe for disaster.
The over-reliance on technology, and the under-investment in people and process to aid technology, invites this scenario. But even if you’ve developed some of these habits (and if you have, trust me, you’re not alone), it’s not too late.
Taking CIA Inventory
The first step in finding the best technology tools for your organization is not picking up the phone to discuss the solutions you don’t have; it’s conducting analysis to make sure you’re getting the most out of the tools you do have.
We’ve talked about the importance of applying the CIA Triad and a Zero Trust lens to people and process. Applying that same analysis to your technology is what ties all three pillars of PPT together and makes your security culture sing.
That means figuring out if you’ve put the right people and process around the tech. Security tools require consistent testing and fine tuning. Assigning ownership and giving owners a plan of attack ensures active monitoring.
Taking inventory of your current technology tools and the business and security problems they are meant to solve allows you to make sure they’re configured, assess any residual risk and then evaluate new technology. So, let’s use the lens of technology to once again evaluate the CIA Triad.
As it is with data, people, and processes, all your technological tools need to be assessed through the concept of Least Privilege. You have to ensure the right people — and only the right people — have access to the tools within your organization.
Likewise, every tool throughout your organization should fit your Zero Trust security culture. For example, assessing whether any laptop across the organization should be allowed wireless access to your network if it lacks any of the appropriate security software.
We say Zero Trust culture for a reason. It should be applied to every layer of your organization from employees to equipment to systems and processes.
If you are ever the victim of a breach, you’ll likely hear from one of two people — the hacker that stole your data, or a law enforcement official working the case. There are a lot of things either might say, but both will be summarized as: “Welcome to the worst day of your career.”
You cannot blindly trust technology or assume the tools and systems you’ve implemented will never be compromised.
A comprehensive analysis of the integrity of your technology tools is an absolutely critical step in avoiding that scenario. It starts with making sure logs and system audits are secure, and that configuration is secure and can’t be altered.
It’s also important to understand data privacy laws and the integrity of the environments in which your systems operate. For example, if your SIM is in Germany, it’s critical you understand privacy laws like the GDPR. Catching data, intentionally or not, that you are not supposed to catch is an integrity threat.
Finally, if and when the conversation turns to adding technology — be it hardware or software — make sure you properly vet the vendors you are considering.
Make sure all your technology is available to whoever needs it, whenever they need it.
That sounds simple, but it’s overlooked often enough to create massive headaches when things do not go according to plan. It helps to look at it like a business continuity plan.
Let’s say, for example, there is a global pandemic and in a matter of days your organization goes from having 98% of employees in office to having 98% of employees working from home. There has to be a way to ensure employees who need to access on-premise security technologies can get it. In that case, “drive to the office” is not an acceptable continuity plan.
Benjamin Franklin famously said, “if you fail to plan, you are planning to fail.”
In our world, you have to plan for technology to fail, including hardware, and you have to plan for what you’ll do when it does.
A Complete Security Culture
The most common approach to organizational security is to purchase the newest, shiniest piece of technology, implement it, and hope for the best. As organizations change and threats evolve, that way of thinking has become dangerous.
At Headstorm, we believe security is something you live every day. To master the CIA Triad, protecting everyone and everything in your organization requires engaging everyone and everything in your security assessments.
If this all sounds like a beast to tackle given your org’s limited resources, be sure to register for my upcoming webinar on Instant Response, where we’ll be discussing best practices in data asset protection & ransomware defense.