Information Security is still an emerging discipline, with lots of loud voices expressing different opinions as to what is the absolute best way to secure your company. Rather than throw more noise into the echo chamber espousing “best practices”, in this series of blogs, I will be taking a different route. Every company does security differently, with varying degrees of success. No single approach works best for everyone; however, there are several approaches that are wrong for anyone. In this series of blogs, I will be outlining ten wrong approaches to security, in the hope that we can all get better at avoiding these mistakes.
Focus only on Technology
Security practitioners tend to fall into two major camps: technologists and process people. Technologists are security practitioners who have spent their careers as system administrators, programmers, network administrators, and other in-the-weeds IT jobs. It is an easy transition from these roles into managing firewalls, antivirus, intrusion detection systems, web proxies, and other security devices.
This type of operational IT background causes us to look at the world in terms of systems and devices. We are trying to protect UNIX servers, Cisco routers, and Windows workstations, so security becomes an exercise in tightening these configurations and meeting “best practices”. No matter how many tools we have at our disposal, as a technologist we always want more. Each year there are new Vulnerability Scanners, new SIEM systems, and new layer 7 firewalls. Whatever security problems we are experiencing, they are always solved by a new tool that we just have not bought yet. When we get new tools, we invent new problems to solve with them
A lot of us in Information Security have this type of background, and I count myself among that group. I have definitely made the mistake of getting way too hung up on specific technology. The problem with that is, outside of IT, nobody else really cares about all this IT infrastructure. Your company’s assets are going to be information, products, and services. The real threat to your company is one which affects any of the things that allow your employer to make money and deliver you a paycheck. If you have an amazing, locked down Linux server build but fail to protect the CAD drawings for next year’s big new product sitting on an engineering fileshare: you have failed.
Technology is important, and doing Information Security effectively means understanding the different technologies that we are working with well enough to protect our assets. The trick is not to get lost within the technology itself and lose sight of what we are protecting.
Stay tuned for Part 2: Failing by Focusing only on Governance, Risk, and Compliance!