Security is not just a state of being.
We are often called to provide an assessment about our present security posture, and usually, the person asking the question is doing so within a very narrow context – one that the may or may not have shared with you.
Answering such a question is difficult at best.
Imagine walking up to your doctor and asking, “Doc, am I healthy?”
If your doctor can answer that without examining you, then one of the following might be true of you and your doctor:
- you simply have an awesome doctor
- your doctor that has known you for a long time, and maintains a close relationship with you
- your doctor is pulling your leg
Similarly, in order to be able to have any reasonable gauge concerning your organization’s total security posture (physical and information), you need to have a good, ongoing relationship with your network and its configuration, and an understanding of the current security threats.
If you know one part of the equation, but not the other, you cannot reasonably conclude anything about your security posture.
As I have stated previously, adhering to regulatory compliance does not always translate to increased security, because the work done for compliance purposes is sometimes very narrowly targeted, and not performed in an ongoing manner.
You need to employ tools to constantly assess the state of your network, servers and applications.
You need to implement policies and procedures that allow your employees, partners, and customers to operate within your environment in a manner that is deemed safe.
You need to evaluate current threats and understand the methodologies that are being used to determine if there are any architectural weaknesses of your organization’s network or operations that need to be shored up, in addition to software.
Finally, you need to educate your users, partners and business leaders about information security practices and threats, and work with them to develop practices that will reduce risk, without undermining productivity.
Being protected against yesterday’s attacks is smart, but it doesn’t make you safe, unless you are also keeping an eye out for today’s and tomorrow’s attacks, and adjusting your strategies to deal with them.
In case you hadn’t noticed, attacks against corporations – many of which have the resources to do better than you do – have risen. And don’t think that your network will be spared. The bad guys will simply package up their techniques into scripts that can be deployed by anyone who points them in your general direction – whether or not they know who you are.
The moment you become lax with security is the moment you can become a statistic, and you don’t want to make headlines, or be a part of headlines like these:
- Hackers step up attacks on security firms
- Analysis: How MySQL.com and Sun.com got hacked
- McAfee: Data Breach Challenges Open Doors For Storage, Security Providers
- Researchers point out holes in McAfee’s Web site
- Health Net, Inc. Investigating Unaccounted-for Server Drives
- Stolen LA laptop held 667 patient records
- RSA SecurID Breach Is a Lesson in APTs
- BP Loses Laptop With Gulf Claimant Data
And these were all published within the last week of March 2011…