Five Security Truisms That Have Stood the Test of Time

Despite all of the iterations in software and hardware during the last couple of decades, there remains some fundamental security advice that has stood the test of time and is just as relevant today as it was in the 1980s.

We’ve all seen it: The data security industry has been on a wild ride during the last three decades, from the initial “glory attacks” of the 1990s and early 2000s, to the rise of financially motivated and hacktivist attacks, to current profoundly dangerous nation-state campaigns against governments, businesses and public infrastructure.

As these threats have evolved, so have enterprise security requirements. We’ve also seen many new technologies–ranging from antivirus and firewalls, to data loss prevention and log management, to next-gen SIEM (security information and event management) and threat intelligence–emerge over the years, each promising to solve our cyber security woes.

eWEEK, led by security journalists Sean Michael Kerner, Robert Lemos, Ryan Naraine, Wayne Rash, yours truly and a number of others over the years, has chronicled the rise and fall of various security approaches. These include the basic client-server schemes, along with network-centric, server-centric, workload centric, cloud-centric, file-centric and even block-centric security.

Here is a go-to listing of 100 articles in this publication for your reference dealing with security trends.

However, through all of the changes, there is some fundamental security advice that has stood the test of time. Security software and services provider Optiv Security, through Infrastructure Security Expert Brian Wrozek, offers eWEEK readers five security adages that are as relevant today as they were years ago.

The “throw-money-at-the-problem” approach doesn’t work: For years, companies have battled advanced malware and sophisticated cyber criminals in a reactive mode, where new security challenges and regulatory requirements are met with the same response: purchase new technology and hire more people and partners to manage it. This approach has created a crisis in enterprise security, where security teams don’t know what assets they have, and infrastructures are bloated and unmanageable.

Not only is this strategy a waste of money, but IT infrastructures are a mix of various point solutions that aren’t orchestrated to work together. Many times, this leaves cracks in the foundation that companies thought they successfully built, allowing cyber criminals to penetrate their walls. The hard truth is that more spending doesn’t always translate to reduced incidents.

Organizations must rethink how they approach security spending. Before every new purchase, they must carefully weigh the need for best-of-breed technology with the importance of building a security infrastructure of fully integrated products, services and systems. To combat today’s sophisticated cyber criminals, companies must transform their security infrastructures and operations from a reactive, unwieldy and product-centric model, to one that is planned, predictable, and centered on optimization and orchestration.

People are the weakest link: Security influencers have been warning about the dangers of insider threats for years. There are malicious employees and other insiders who want to steal corporate data, gain unauthorized access to confidential systems and services, and execute malware to hurt their company. Then there are accidental cases, such as an employee mistakenly putting confidential data in the cloud. Though benign, this can be equally damaging. 

Today, there’s a third factor exacerbating the insider threat problem: The chronic shortage in cyber security skills makes it incredibly difficult to hire enough resources to manage complex infrastructures. As a result, IT security teams suffer from widespread burnout, which creates gaps in defenses. This is why so many data breaches are caused not by brilliant cyber attacks but simple human error: misconfigurations, unpatched systems and other elements of basic hygiene.

Companies don’t need more, they need “right”–the right strategy, the right infrastructure and the right policies and processes in place. Optimizing cyber security portfolios is a good first step to make security simpler, more manageable and less costly, which lessens the burden on security pros and frees them to prioritize higher-level tasks that deliver increased protection and business value.

Employees also serve as your first line of defense: While it’s true that employees can pose a serious security risk, they can also serve as their company’s first line of defense against cyber criminals. The most effective way to prepare them for this role is to create a strong cyber-security culture that encourages and rewards security awareness and safe online behavior.

If employees understand their roles in keeping company networks and data protected, they’ll be more inclined to uphold their responsibilities and follow company policy. As such, it’s important to implement ongoing education and training programs that teach employees about cybercriminals’ attack methods and tactics, such as ransomware and phishing, as well as how they should react if a threat is identified.

It’s also important to clearly explain how employees should manage their online activities and define acceptable and unacceptable ways to access and use company networks, software and devices. To promote adoption of safe cybersecurity behavior and boost employee engagement, consider implementing recognition and reward programs, running monthly contests or rolling out gamification programs.

Developing a strong cyber security culture founded on awareness, training and clearly defined security policies takes time and effort, but the end result is well worth the upfront investment.

Patching makes perfect: Patching may seem like a trivial task in the age of next-generation cyber security tools, but it’s a vital component of strong cyber security programs – and Meltdown and Spectre have reminded us of this fact. Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort compared to the remediation of prior widespread vulnerabilities.

This is due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches on the impacted systems and applications. The patch-management issue is exacerbated by companies failing to refresh their old equipment, which may be harder to patch than newer systems.

In a world where shiny new security products emerge daily, companies must focus on going back to the basics by putting fundamental security technology and processes, such as patching, in place to minimize risk, maintain protection and bring clarity to the current state of chaos.

Security is a business problem: CIOs and CISOs have always had a difficult time getting a seat at the table with fellow senior executives and in the boardroom. One of the main reasons for this is they have not been able to articulate their operations in a way that other executives and board members can understand; they haven’t been able to correlate security spend with the company’s overall risk profile. As a result, they are relegated to playing catch-up as strategic decisions are made without the input of security, making it difficult for them to be proactive in securing business operations.

While this has been an issue for years, it’s still an area of immaturity for many companies. Security executives must implement metrics and key performance indicators, so they can begin to report on their operations in an understandable and meaningful way. Budgeting and evaluating security operations in a way that is consistent with other business units will help security executives take a more prominent role in business strategy and planning, while enabling enterprises to accurately align security investment with risk profile.

Additionally, being able to speak the language of business will become the single most important factor in security executives finally getting that seat at the proverbial “executive table.”

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...