Security, like many practices, is evolving. To stay ahead of threats, organizations need to take a modern approach to security. But what does that actually mean?
To break down what qualifies as a modern approach to security, let’s first identify a few key qualities that modern security teams should possess. They include:
- Adoption of the mindset that the company has already been compromised
- Honesty about survivability
- The ability to rapidly adapt to the new and unknown
- A focus on hiring the right people (and not just buying tools)
Convincing an organization to make this kind of shift is easier said than done, though. Among the obstacles you might encounter include:
- Legacy infrastructure and processes. For example: you believe that better endpoint monitoring will improve your security team’s visibility, but lack of standardized configuration management tools for desktops means there is no easy way to deploy it.
- Lack of resources. Because teams are overwhelmed with their day-to-day tasks, they cannot take on new, more proactive measures and longer term projects even if it could mean improvements later down the line.
The goal should be to remove these obstacles and provide security leadership with a realistic path to a modern security approach.
Here’s how to get there:
1. Adopt the mindset that the company has already been compromised
Considering how sophisticated and prevalent attacks have become, it’s not surprising that not only will most companies face a breach, but most of them won’t catch it right away—or at all in some cases.
Given that reality, it’s generally recommended in the modern view that teams spend part of their effort looking for active compromises instead of focusing entirely on prevention and passive detection.
To convey the importance of this mindset to leadership, educate them on how common breaches are and how costly they can be using real data. Find competitors and similar companies that suffered a compromise and explain how it affected their business (Statistics can really help here. You can use this format as a guideline.).
Then, regularly conduct small-scale assessments to find vulnerabilities and breaches within your own company and show that evidence to leadership. Explain to them how a breach could affect the business from a cost or reputation perspective, and how risk can be reduced by leveraging modern processes and technologies to proactively search for intrusions.
2. Get honest about survivability
To survive against today’s attacks, you need to be ready for the worst. Take Google’s “fail fast, learn fast” methodology as a good corporate example.
To do this in security:
- Document a few breach scenarios
- Lay out how effective the current processes and technology would (or wouldn't) be in detecting and responding to them and how long it might take (using real-life previous examples if they exist)
- List out the other resources that would need to be involved to supplement the processes and technologies currently in place (if you find them insufficient)
- Propose an incident response plan to respond to threats and the resources you’d need to make it effective (e.g. security orchestration, forming a security operations center, etc.)
- Develop a budget and plan for implementing this new plan
3. Be willing to question assumptions, experiment, and try new things
This can be tough if leadership is set in their ways when it comes to security, but the following can be an effective approach.
Conduct short, proof-of-concept experiments with measurable goals and outcomes. For example, if you think the company could benefit from regular pen testing, rather than red teaming an entire network, just test it on one critical app. Based on the results of that experiment:
- Explain why the company needs a full-scale penetration test
- Develop a plan for how to address the remediation
- Provide estimated costs and request resource allocation
4. Focus on hiring the right people (not just buying tools)
We’ve written extensively about why it’s so important to invest in people before technology. Years ago when security was a check box, a tools-first approach to security might have been tolerated. It is now generally accepted that to be effective at securing an organization, great tools alone are insufficient.
A critical layer of human insight is required to effectively respond and adapt to attackers which are constantly evolving their methods. Even more, you need the right people in place to select the right security technology and operationalize it in the first place.
To help leadership focus on hiring the right people, take ownership of the process by helping with recruiting efforts. One way you can do this is by coming up with a case for why hiring dedicated personnel for key tasks will provide a better ROI than purchasing a product first.
As the threat landscape becomes increasingly complex, we as a community can be far more effective at defending against our adversaries, protecting our assets and customers, and ensuring business continuity.
Another modern approach to achieving security at scale is by connecting your tools and automating tasks between them with security orchestration and automation. With orchestration and automation, you can quickly optimize their security operations, making their security teams more productive and efficient.