6 signs enterprise security is getting better

After decades of fumbling, companies have grown painfully aware of the risks of poor security and are finally taking best security practices and technologies seriously

As a traveling consultant, I visit lots of businesses during the year and examine their security plans. For decades, I’ve secretly scoffed at what they’ve tried to do because it was often too little, too late—and misdirected.

But these days, I run into more and more companies that get it right rather than wrong, with ideas that aren't broken but instead work. My audits and reports, which used to be 100-plus pages long and contain dozens of critical and high-severity findings, are now a lot shorter. (I sure hope they’ll pay me the same for a much briefer report.)

Why the improvement? It’s been gradual, yet at the same time driven by an increasing sense of urgency. Here are some of the developments that, in my opinion, have led to a significant upturn in effective enterprise security.

Fear of the consequences

The Sony Pictures and Target hacks from a few years ago were turning points for senior leadership and shareholders. Sure, big companies have lost tens to hundreds of millions of dollars in revenue or the cost of the response, but the Sony and Target hacking events were so much more. The Sony hack resulted in a long shutdown of services and publicly revealed intellectual property theft, not to mention the release of hugely embarrassing emails. The Target hack resulted in a change of CEO and CIO. Seven board directors were almost walked out the door, due to their failure to protect customers from the breach.

Those top-level firings and leakage of confidential information shook corporate America. Prior to those events, most IT security teams were seen as overly paranoid obstructionists who wanted to slow down legitimate business. After those events, IT security is now viewed as a crucial partner in helping any company remain viable. Today, when IT security speaks, the ears and purses of the company are open. The internal struggle between security and operational efficiency will always persist, but security is winning more battles.

I’m also seeing a lot more CISOs, CSOs, and even chief privacy officers. It used to be only the biggest companies had them. Now, even small companies designate a senior IT person as “security officer.”

Identity is becoming the security boundary

For decades, the security boundary was the network perimeter or firewall. Then it morphed to each individual computing device or host. Eventually, we all recognized that the security boundary isn’t physical–it’s identity. If a hacker or malware can steal a legitimate user’s logon credentials, then it’s open season on everything the user has access to. Secure identities and you secure the environment.

I also see more two-factor authentication (2FA) solutions than ever before. For regular users, 2FA is a normal part of the job. They’re even enabling and requiring 2FA on their social media sites and home computers. It’s common for me to see IT admins with multiple 2FA logons—often one to access the VPN and another to access a particular system.

Compliance helps

Sometimes, compliance gets in the way of better computer security. It’s old, slow, and lumbering. But in some cases, compliance regulations and laws are the only reasons many companies were able to enable better security. For example, the PCI-DSS standards that cover credit card data have forced many companies to put PCI-related assets into higher-security, protected environments. Those environments wouldn’t have materialized without regulations.

More and better event monitoring

I’ve noticed a greater number of events are being collected, logged, and analyzed. For a long time I was accustomed to hearing that event logging was not turned on; if it was, companies ignored it. This is changing. Now I see more and more companies monitoring all clients and servers, as well as sending the data to security intelligence systems for analysis. It’s no longer acceptable to ignore event logging when it often reveals early signs of intrusion.

More data-driven and behavior-based solutions

I feel like I’m witnessing the dawn of a new age in data-driven computer security defense. It’s hard to find a new security solution that doesn’t tout its ability to use more and better data to drive specific mitigations. Many of these are behavior-based solutions looking for signs of malicious intrusion. In the past, customers were frustrated with solutions that delivered logs full of noise or false-positive alerts. Today, with increasing frequency, customers tell me that the latest solutions are making them happy. They actually trust them.

Fewer admins

Every company I visit is reducing the number of permanent members in its most privileged groups. Many companies have zero permanent members, and they’re finally addressing the hassle of handling and updating service accounts. Elevated service accounts are handed out sparingly, are monitored, and are subject to frequent password changes.

Better user behavior

Conventional wisdom holds that users are always the weakest link in any computer security defense—and some never learn. I’m not sure about that anymore. I’ve seen war-weary users who’ve discovered how bad it can get and have grown skeptical of almost any item that comes their way. I’ve even heard companies complaining they can’t get their users to open legitimate emails that look the slightest bit fishy. I’m not saying all users have become perfect gatekeepers, but the situation is better than it has ever been.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.