The nature of the security game hasn’t changed much over the past 10 to 20 years. Sure, the tools and technologies, and the types of offensive and defensive strategies that are employed have changed, but we’re still challenged in many of the same ways that we’ve always been. We’re still engaging in a losing battle against an invisible enemy while trying to make the best possible use of what little human and financial capital we are granted to defend our information ecosystems; all while trying to advocate for more support, more money, and more people to do the job – despite a perceived lack of ‘tangible’ evidence that the work we do has any actual value.
If you’ve been tasked to take an active role in protecting your organization’s information assets, then you may have already experienced some of this for yourself. To make matters worse, we now live in a mobile, social, cloud-based world, where information exists in a completely untethered state and our existing information ecosystems are incapable of containing it. The complex systems that we work with just continue becoming more complex; as do the social and organizational cultures that influence (and constrain) our efforts to defend them. And, truthfully, no one really has a ‘silver bullet solution’ for how we handle this growing problem.
Rather than figuring out how to shift our current security paradigm, most of us are so busy, and so limited in the availability of finite resources, that we reach for the ‘easy’ answers, the ‘low-hanging fruit’; thinking that any action is better than no action. It’s not uncommon to turn towards the next latest and greatest technical security ‘solution’ offered by a favored vendor; especially when you consider the types of ‘promises’ being made. While the technologies required to limit the likelihood, breadth, and depth of a potential security incident are indeed essential to a holistic information security program; there are limits to the protective value that these technical controls can offer.
If it’s clear to us that a technology-centric approach isn’t the answer, then what is? Regulatory compliance certainly hasn’t addressed the issue – nor have any of the ‘best practices’ that are commonly held up as the way security should be done. In some cases, the compliance/best practice mindset so commonly adopted nowadays has actually distracted us from the things that matter most. Caught up in answering the question of “are we compliant?” we forget to ask the question “are we secure?” Even more importantly, we forget to ask the question “does my security program make sense for me?”
With our rampant adoption of commoditized security technologies, increased emphasis on compliance mandates, and continued use of outmoded ‘best practices’, somewhere along the way the importance of *context* has been lost. I’m not sure it’s possible to pinpoint the exact moment that everything began to shift, but more and more organizations these days are taking a ‘one-size-fits-all’ approach to the protection of their information assets; asking “what does everyone else do?” While it may be a fair question, it’s not the right question to be asking. Asking the right questions takes courage – the courage to challenge the status quo, and to focus on what works instead of what’s popular or convenient.