Many people believe they need to take on large tasks and implement expensive technologies to fix the problems with their security program. Brought on by the compliance-first mentality epidemic combined with ongoing IT audit requirements, these “fixes” are often nothing more than paperwork, programs and poorly implemented technical controls that create the illusion of progress. Yet, behind the scenes, the truth is evident. The real weaknesses are present in terms of ownership and accountability, oversight and lack of ongoing improvements.
Enhancing a Security Program
The following are some small, yet important, quick wins for security that you can address today to make things better over the long haul:
- Clean up your security policies by standardizing a template and eliminating redundancy.
- Develop a security testing plan that ensures periodic and consistent in-depth information risk assessments, penetration testing and vulnerability scans. Many organizations address these security functions haphazardly — often after a breach or when they’re otherwise forced to do so, which can only serve to make you look bad.
- Standardize on full-disk encryption for laptops, patch management for your main OS software and third-party patches and mobile device security. Then develop a plan for rolling them out. You might already have these controls at your disposal. Once implemented, these three things alone can easily eliminate 50 percent or more of your information risks, and no formal risk assessment is needed. I cannot think of any organization, regardless of size or industry, that wouldn’t benefit from taking these three steps.
- Document an incident response plan. Most organizations I’ve seen don’t have one, and that’s such a dangerous thing. At the very least, create a one-page document that simply has all the contact info for your vendors, ISPs, security and forensics experts and legal counsel. You’re going to need all of them on board when the going gets rough.
How else can you tweak your security program to make things better? Only you know the answers. All it takes is two of the rarest things to come by in business today: a level of commitment and stick-to-itiveness. If there’s a big enough “why,” the “how” will take care of itself.
Build for the Future
Starting today, forget about fixing all of your security problems this month or even this year. Most organizations could go the next 12 months without spending a single penny on new stuff — products, services and other things that promise to fix everyone’s security woes. Instead, by focusing on the freebies — using what you’ve already got combined with some elbow grease — you can make huge strides toward developing your security program, fixing the fixable that’s spread across your environment and minimizing your security risks.
As the saying goes, Rome wasn’t built in a day. Like diet, exercise and investing in retirement, it only takes a little at a time to make a big difference. The real challenge is setting your sights on the bigger picture and doing the little stuff that needs to be done today so you can reap the big rewards in the not-so-distant future. That future will be here before you know it.
Independent Information Security Consultant