Why You Can't Afford to Ignore Security Basics
Govciooutlook

Why You Can't Afford to Ignore Security Basics

By Bill Podborny, CISO, Alliant Credit Union

Bill Podborny, CISO, Alliant Credit Union

Cyber security incidents have almost become a daily news event. Between the increase in incidents and the pressure from executive management and boards to protect organizations, it’s easy to get caught up in all the hype surrounding the latest cyber security buzz.

"The basic premise for security should be to protect critical assets by having the ability to detect malicious behaviors and respond to threats"

Who wouldn’t want to rush out to acquire the latest silver bullet?

As a security professional, I constantly get calls from vendors offering the latest and greatest security tools, services, and processes available on the market today. Not unlike other security professionals, I enjoy seeing the latest technologies, and the chance to tinker with something new.

I’m not suggesting that, one or more, of these offerings wouldn’t improve the security posture of any organization—but I think a lot of these advanced systems and techniques are being introduced in lieu of some of the basics.

Most organizations are strapped for qualified security professionals. As a result, the time and attention needed to investigate and implement new tools can prove distracting from the required security hygiene fundamentals.

When you hear about the next security breach, there’s a good chance that it may be a new attack vector—but the root cause was exploiting a fundamental function, such as login credentials.

There is a reason why best practices like ITIL and ISO exist and have stood the test of time. If implemented correctly, they work. As we look at the latest regulations and guidance, such as PCI and FFIEC, they are all emphasizing the same thing: start with a good foundation and mature security practices over time.

So what do some of the basics entail? What constitutes a good foundation? For starters, think about people, process, and technology and consider these five tips:

1. Know the risk to your organization and the tolerable risk you are willing to accept. Defining how much protection to put in place could save time and energy from unnecessary tasks.

2. Inventory what your critical assets are and ensure that they are restricted to only those who need them to perform their job function. How many times have you seen someone’s laptop loaded with all sorts of security protection tools, but the end user has administrative permissions to their own machine?

3. Protect assets according to their risk level. It’s likely that not all assets are of equal value. This is where the meat of many basic security principles are potentially ignored, such as access control and regular patching.

4. Have the ability to detect threats. While this is critical, I think this is where a lot of time is spent while ignoring the basic protection methods. Monitor the environment for suspicious activities, which may involve capturing more than just security logs. Remember that anomalies can take on many forms.

5. When an issue arises, have a solid incident response plan that contains repeatable processes to follow through to resolution. I can’t say enough about practicing your response plan to ensure the first time you’re looking at the plan isn’t right after an incident.

The basic premise for security should be to protect critical assets by having the ability to detect malicious behaviors and respond to threats. While some tools may make it easier and more efficient to operate security functions, they can’t take the place of basic security principles. After you have the basics running smoothly, you’ll have a good foundation to work from. At that point, you can enhance the process or look at advanced capabilities.

Weekly Brief

Read Also

Bridging the Generational Gap in E-Governance

Bridging the Generational Gap in E-Governance

Inez J. Rodenburg, GISP, CGCIO, MBA, Chief Information Officer (CIO), City of Danville
Adapting to New Challenges with Adults in Custody

Adapting to New Challenges with Adults in Custody

Derrick Peterson, President of the NW Chapter of the National Organization of Black Law Enforcement Executives (NOBLE) & Captain of Auxiliary Services Unit, Multnomah County Sheriff’s Office
The Jail Officer and CIT

The Jail Officer and CIT

Major Charles E. Armstrong, Director of Operations, Riverside Regional Jail
Guiding Individuals with Community Corrections

Guiding Individuals with Community Corrections

Maureen Anderson, Probation/Pretrial Manager, Prince William County Government
Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Rob Tieman, PE, PMP, Director, Project Management Office, Virginia Department of Transportation
Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Tim Persons, Chief Scientist and Managing Director, Science, Technology Assessment, and Analytics, United States Government Accountability Office