As the old adage states, “security is a process, not a product.” True, but understated. In reality, enterprise security is a plethora of processes requiring constant management and oversight. Your organizations can be fabulously adept in 99% of all security processes but weaknesses in the remaining 1% can still result in massive vulnerabilities.
In a recent research survey, ESG asked enterprise security professionals (i.e., more than 1,000 employees) to pinpoint security process weaknesses as they relate to malware prevention. Here are the top five weaknesses identified:
- 29% of security professionals identified a weakness with providing cybersecurity training to non-IT employees. This comes up often but this assumes that cybersecurity training for non-IT employees is somehow effective. Do we really think we can make Mary in accounting a CISSP? I’m being a wise guy here but I hope you get my point. In this era of sophisticated malware and social engineering, we really need some new research to understand the effectiveness of cybersecurity training, and the degree at which it becomes worthless (and expensive) overkill.
- 22% of security professionals identified a weakness with providing cybersecurity for IT staff. Okay, this seems like a problem to me. I suggest that CISOs and CIOs fight for budget dollars and formal programs here.
- 19% of security professionals identified a weakness with patching systems in a timely manner. This too should be addressed. Is there a problem in the workflow between security and IT operations? Is there tight management of the trouble ticketing system? Are there SLAs in place?
- 19% of security professionals identified a weakness with writing custom IDS/IPS rules based upon threat and vulnerability intelligence. This may be okay if IDS/IPS vendors and open source communities take care of this but it is still worth looking at. Progressive organizations with strong CISO leadership use IDS/IPS on a proactive basis as a layer of defense for risk management. Given this, it may be worthwhile to invest in this area.
- 17% of security professionals identified a weakness with deploying IT assets in hardened configurations. This is also a red flag to me as it a fundamental best practice. Are there security templates in place? Is someone circumventing standard processes? Are there formal reviews for configuration and change management? These kind of deployment problems also hint at rogue (i.e., unknown) assets on the network. Look for these as well.
The dirty little secret is that enterprise security has become a vicious cycle of constant firefighting. Honorable? Yes, but this behavior doesn’t scale. In this era of advanced cyber threats, “shadow IT,” and mobility, enterprise security must be anchored by strong fundamentals or nothing else really matters.