5 lessons to help security pros craft a New Year’s resolution

1 2 Page 2
Page 2 of 2

Lesson # 3 – Don’t underestimate the value of a CSO

2014 is considered the year of the breach. While there are many contributing reasons these intrusions occurred, a key issue is executives are unaware of how insecure their networks actually are. Cyber security has gotten to the point where it is a boardroom discussion, if it isn’t, it needs to be. Executive teams need to get information directly from the person in charge of security. Burying security under the CIO does not work.

Information uptime and cyber security are two different problem sets. They are critical enough to an organization that they require a separate reporting structure, a CIO and a CSO. The CSO must report directly to the CEO and have a clear metric for implementing security.

Lesson #4 – A solid foundation is critical

Building and implementing an effective security program takes time; it is not something that can be simply pieced together. Similar to a home, a security program requires a solid, well thought-out foundation to be successful. There must be a clear plan of action and a robust architecture design when building out a security program. Therefore, while there might be a firewall, IDS and DLP, without the proper foundation the infrastructure will collapse very quickly as soon as the winds of adversity start blowing.

For organizations that have not built their security program correctly, they need to put the foundation items in place. The core foundations of security are 1) asset identification, 2) configuration management, and 3) change control. If an organization does not know what is on its network, how they are configured and properly control change, the organization is going to lose and get breached. An organization must have a proper foundation which allows all the devices connected to the network to be controlled and managed.

Lesson #5 – You can’t protect critical data if you don’t know where it resides

In 1933 when Billy Sutton was asked “why do you rob banks”, his reply was “because that is where the money is”. For an organization, its money is its data; that is why adversaries break into organizations. This is perhaps one of the most important lessons the industry has learned in 2014.

Today’s attacks are focused on the critical data and ways to exploit this data for the attacker’s advantage. If an organization does not know where its critical information is, it can’t protect or control it. Therefore it is critical that organizations identify what their critical information is, locate which servers it resides on, and provide proper measures to protect it. Organizations must perform data discovery to identify and control their critical intellectual property.

Those who do not learn from the past, are forced to repeat it. Based on the amount of security activity that occurred this year, organizations are truly at a reflection point. Are they going to keep doing what they have been doing, which evidently does not work or are they going to step back and change how they approach security? In many cases, organizations need to start over. By putting in the proper foundation, allocating the proper resources, setting up the proper infrastructure and focusing on timely detection of breaches, organization can overcome the sins of 2014 and have a more productive 2015.

Eric Cole is a SANS Faculty Fellow and director of the SANS Cyber Defense Program.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies