There's no magic pill for security
Too often, New Year's resolutions to get into better shape are derailed because of a lack of realistic planning. The same thing happens in the security sphere.
Computerworld - As happens every January, when the new year arrived a couple of weeks ago, I saw a lot of new joggers and dog walkers out on the roads in my neighborhood. I've heard that gyms see a spike in business every January as well. In both cases, after a few weeks, things revert to about where they were before, as most of those who resolved to get fit in the new year fall away.
The problem is that real fitness is not achieved through a quick fix. It's an entire lifestyle, not a couple of jogs around the block.
Parallels can be drawn to security, be it information security, application security, software security or any other security discipline.
For many organizations, certainly, the quick fix can be tempting -- and it's just as illusory as the fitness quick fix. Again and again I've seen organizations that otherwise are lax in security matters commission a quick penetration test of whatever software or app they're deploying. They hope the test will give them an easy list of things to fix and leave them -- ta-da! -- secure. Even worse, they might go out and purchase a firewall, IDS, application firewall or some other product they heard about at a trade show and expect it to magically secure their shoddy software.
These things are to security what a pill that promises to burn fat while you sleep is to fitness. In both cases, the only thing you end up burning is cash.
Real security only comes with a lifestyle change, serious commitment and determination. It requires sweat and pain at times. But the results can be worth all that effort.
If you are ready for that kind of commitment, then the next natural question is where to begin. Quite simply, you need a plan. Failing to formulate a solid plan is what trips up the New Year's resolution crowd, and the same is true for organizations seeking better security. If you're out of shape, you shouldn't expect that you can just put on the sweats and running shoes and run a few miles on New Year's Day. Getting to wherever you want to be is going to take time, and should be planned accordingly. Start with the small things and gradually increase.
Here's how I would recommend easing into better security shape:
* Decide where you want to end up. Do you want the absolutely best security program that money can buy? Are you aiming to do things only as securely as other organizations in your field? Do you want to do the bare minimum to avoid some regulatory sanction? Thinking about questions like these will help you determine what you can afford to do -- and what you can't afford not to do. Set a target, and then get senior buy-in and commitment for getting there. A fine example of goal-setting is the famous Bill Gates "Trustworthy Computing" memo, sent to all Microsoft employees in January 2002. In it, Gates wrote, "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Those simple words sent Microsoft in a new direction and continue to shape the company's actions today. * Next, critically assess where you are now. Just how bad is it? Whether you do the assessment yourself or hire consultants, you should emerge from the process with a candid understanding of your current state -- no sugar coating. And if you haven't done such an assessment for some time, do it again. It's worth updating that "before" snapshot from time to time. * With your goal in mind and your current state understood, establish milestones. Start with bolstering the most glaring weaknesses uncovered in your current-state assessment. Plan and budget them out over a realistic timeline. Build each milestone into your organizational goals and your staff's personal goals. Plan to measure successes (and failures). Reward those who succeed, and punish those who don't.
More by Kenneth van Wyk
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Kenneth van Wyk: Why mobile apps beat Web apps for privacy
- Bug bounties: Bad dog! Have a treat!
- How to avoid Big Brother's gaze
- The true root causes of software security failures
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts