The best laid plans, etc., etc. I’m sure you’re familiar with all of the trite quotes and references suggesting the wisdom of planning. None of those plans, however, matter much in the long run if they’re not executed effectively.
According to Grant Shirk of Vera, it’s crucial that security strategy be clearly defined, broadly communicated, and practically implemented. Shirk also suggests, “Put another way, a good strategy allows for creativity and flexibility around how execution happens.”
To help organizations effectively plan and execute security strategy, Shirk shares five keys:
1. Identify most valuable digital assets
In a Utopian world you’d be able to secure and protect all of your network resources and digital assets. However, we don’t live in a Utopian world. We live in a world where there are far more network resources and digital assets that can possibly be monitored and secured equally given the time and tools available.
Shirk says, “The way to address this is to shift your security focus to directly protect the data and applications that drive your business. These specific digital assets are together the most valuable and the most distributed in any organization, and your mandate is to identify, track, and control them as efficiently as possible.”
2. The perimeter is dead. Get over it
The perimeter has actually been dead for years. It started with laptops and remote workers, then mobile devices, and finally cloud services and data. In many organizations today it’s virtually impossible to point at one physical location and say “This is inside the perimeter”.
Crucial data can be almost anywhere, and organizations need to focus resources on protecting data—wherever it may be—rather than on securing the internal network from the external attackers.
3. Attacks are evolving
The techniques and exploits employed by attackers also minimize the value of “perimeter” security. Whether it’s an inside job or an attacker that has somehow stolen or compromised the credentials of a authorized user, the reality is that at the point of attack or data exfiltration the activity appears to legitimate. It’s more important to monitor for anomalous or suspicious activity than to monitor for known malware or block specific exploits.
4. Widen the net
Most private companies are reluctant to share security information or evidence of attacks. Cyberseurity and malicious attacks continue to expand in scope and impact, though, and everyone benefits when government agencies, public, and private organizations compare notes.
Shirk states, “The way to tackle the problem is to proactively involve security innovators, private and public sector organizations, and individual consumers in the conversation, with the goal of rapidly identifying new solutions and strategies.”
5. Build a winning team
It is challenging for any one company to do it all. As one organization partners with another it is important to seek out companies that fit well with the culture, business goals, and security mindset. Collaborating and cooperating with companies that have strengths that complement your organization’s weaknesses is a solid strategy for success.
The most important element of all of this, however, is execution. You need to keep this advice in mind and build your security policies and controls around it—but you also need to make sure it is effectively implemented and properly executed.
- Malcom Harkins Talks about Ethical and Legal Obligations of the CISO - October 20, 2022
- Maggie MacAlpine Chats about Collaborative Threat Intel Initiative - October 14, 2022
- Intel Outlines Focus on Innovative Security Technologies - October 8, 2022