With the explosion of new technologies and IT solutions of all kinds, it’s sometimes hard to see the wood for the trees. Nevertheless, every organization must make sure that its next generation security strategy is underpinned by relevant principles and not just a laundry list of tactics and actions.
- Think About Risk, Not Just Expense
Time, effort and money are what you have to spend to protect your IT. Yet it would be shortsighted to calculate such expenses for security simply as fixed amounts. Even though security surveys and benchmark figures offer interesting industry comparisons, what really counts in the equation is your risk. An IT security breach could mean the loss of data, loss of a good reputation, loss of compliance and at its worst, put organizations, employees and citizens at risk. All these threats should be evaluated in terms of probability and business impact, showing you where to spend the most first (on high probability/high impact risks).
- Process, Process and Process
You know the saying that the three most important things in real estate are location, location and location? In IT security, you might say that they are process, process and process. Sound processes to implement security are often more effective than technology. Suppose your IT department develops its own code or business applications. The wrong process is to develop and deploy the app, then tell the security team afterward. The right process is to bring the security team in at the start, then develop and deploy the app. In your enthusiasm to use DevOps, a microservices architecture, or the latest role-based access technology, remember to use robust processes that also ensure security is considered and implemented in a timely way.
Whether you already use automation or not, you’re likely to need even more of it with your next generation security strategy. There’s simply too much to check to leave it in the hands of human beings, however capable. If your process (see above) is sound, your automation should then make a good thing even better. Some tasks and activities are better candidates than others for automation. Criteria for automating include the value you derive and the ease of automating. However, don’t automate to the complete exclusion of human intervention either. IT security staff working together with IT security applications and automation is still the best combination.
- User Information Security Awareness
Your next generation security strategy will have to admit what many CIOs would rather not –that some users are now doing their own IT and bypassing the IT department completely. Can you blame users? With a credit card, they can buy cloud services today, stop them tomorrow and avoid waiting weeks or months for internal IT teams to deliver. This “shadow IT” will be further accentuated in the future. So, give every user proper information security training. That way, your overall IT security has a better chance of functioning effectively.
- Keep Using What You Have Today, as Well
Conventional firewalls, intrusion prevention/detection systems and antivirus software may no longer be able to handle all the new threats, but they still represent considerable security value. Most attacks perpetrated today are still ones that these tools can effectively block. For the foreseeable future, they are still likely to be needed by most organizations, even those that are “born on the web.” They then need to be augmented by new technologies and tools capable of handling the additional, new threats.
Now it’s time to put that next generation security strategy into action. And as you do so, keep these five best practices in mind to help you and your enterprise fend off the wolves while you wend your way through the wood.