This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
Right now, you're probably busy munching on a garden salad or figuring out a way to spend more time with your family. Yes, it's New Year's resolution time, and this year I have a special challenge for you. While driving to the gym or to your kid's piano recital, make a few security-related New Year's resolutions as well.
Here are five quick options:
Resolution #1: Stop whining about your budget. In virtually every survey we conduct, "lack of budget" is cited as the number one obstacle to effective enterprise security. There are two constants in this field: (1) There will always be another critical vulnerability or worm; and (2) you'll never have the money or resources you think you need to protect against them.
As industry veteran Bill Murray says, "The budget fairy is dead." Accept this as a fact of life, and you'll be amazed at all the ways you can do more with less.
Resolution #2: Re-examine your vendor relationships. Here's one way to save money. The longer the IT industry remains in the dumper, the better positioned you are to pinch your suppliers on licensing deals. The vendors know it, and they know you know it.
When considering a product from a security startup, go the extra mile on due diligence. Ask for proof that they have the venture funding they trumpet in their marketing pitch. Ask them about their strategy for building the business. Talk to their customers about their experience with the company, both good and bad. Soon you'll start to recognize the warning signs that a vendor ain't long for this world.
If you're considering a more established vendor, negotiate deals down to the last penny. In a soft economy, big vendors are willing to give product away for a chance to upgrade you later.
Resolution #3: Stop complaining about policies. Yes, they're boring. Yes, they're tedious. No, no one likes to work on them. Part of the problem is that far too many people view security policy as a monolith, as in: "I spent 18 months putting this thing together, and I'll be damned if I'm going to do it again so soon."
We constantly hear how important it is to turn a policy into a "living" document. One way to do it is to tackle the job incrementally. Start by making a commitment to fixing one glaring problem with your current policy (and don't tell me you're not aware of any).
Resolution #4: Change your mindset from "intrusion prevention" to "intrusion management." I've railed against the concept of intrusion prevention before. The new products being marketed under this moniker serve a purpose, but it's counterproductive to think about risk in terms of prevention. You can accept, mitigate, transfer and even ignore risk, but you can't prevent it. Similarly, you'll never prevent intrusions at all layers of your infrastructure. Breaches happen. What's important is how you respond.
Resolution #5: Put the mouse down and press some flesh. Security is partly a technical pursuit--nobody disputes that. There's no substitute for intelligent network segmentation, granular firewall rules or tight Web server configs.
But security is much more than that. It's about interacting with department heads, product managers and application developers to get a sense of what they do and how they do it. Not only will this help you identify weaknesses in your security program, but it helps put security on their radar.
Face it: Most users care about security only when they're forced to. Once you understand their responsibilities, objectives and concerns, you're in a much better position to institutionalize security into their programs and processes. All of the sudden, they adopt security because it's important to them, not just to you.
About the author:
Andrew Briney is editor-in-chief of Information Security magazine.
This was first published in April 2011