Speaking to more than thirty IT security professionals on a weekly basis, in all those conversations we always start with a few basic questions to establish how much visibility they have around the most basic of security risks. Namely, how easily [quickly] are they able to identify who has permissions to what? How much insight do they have as to how these users got the permissions? How quickly would they know someone makes a critical change to their critical IT systems [ie those systems without which there would be serious business consequence]? What process do they have in place to audit and alert on access modification or extraction of confidential files or folders in real time?
You would think these questions are pretty simple to answer, though the reality is they are far too often overlooked. The reality is a lot [not all] of organisations are firefighting and are reactive in tackling these issues. It's not necessarily that they can't answer them at all (though many can't) it's more a case of they can't answer them proactively, within a responsible timeframe. At the RSA show in Singapore during a series of one-on-one interviews with 60 IT security mangers and CISOs we asked these questions; five declined to comment yet 45 of them reluctantly admittedly they did not have adequate means of answering these questions. ie 75 percent of organisations spoken to [reluctantly] admitted they had some basic yet critical gaps in their ability to answer these questions.
That begs question here of why? One of the issues we've seen is the deployment of hugely complex and sophisticated security is in place but it's over-complicated and overkill when it comes to answering the most basic questions.There are also many instances of product adoption without adequate understanding or planning as to how to handle what comes out the other end. Ultimately if the IT security teams don't know what questions they are trying to answer in the first place there are always going to be holes. It's also fair to say that there is so much vendor hype in the market – and people buy vendors for vendor's sake… There is without a doubt a raft of heavily funded, well-marketed yet half-baked products half deployed that has also been a real issue for lots of enterprises. Sometimes ending up worse than they were before they started.
Security should start (not finish) with a few common sense questions, which should be asked regularly and systematically and tested at random without prior warning. We have a culture of impromptu fire drills, where we all have to stand outside the building to check the alarms and procedures work… Yet how many organisations do you know REALLY test their IT security in the same fashion? Not enough of them. I'm not tarring everyone with the same brush here, kudos for those that already do it, however I think it's reasonable to say people spend more time putting out ‘cyber-fires' and handling breaches than they do checking their measures and processes to prevent them. Given the option of a building burning down or a high profile data breach, which one causes the most amount of damage?
Check the basics, ask common sense questions regularly and only expect what you inspect.
Contributed by Aidan Simister, global SVP for IT auditing, security and compliance vendor, Lepide Software