The Senate Committee on Homeland Security and Governmental Affairs recently released an investigations report containing the results of the Committee’s look into the root causes of the massive Equifax breach in 2017. The cyber security incident involved the compromise of the personal information of over 145 million Americans. After reading this report, one might think the root cause of the breach is quite simply the failure of Equifax to patch its systems properly. The root cause is actually much deeper. Let’s take a look.
The Importance of Change Management in Cyber Security Processes
Understanding your baseline configurations and keeping track of changes are a necessary prerequisite to an effective vulnerability management program. In fact, it is impossible to implement the recommendations of this Senate report without first ensuring these underlying processes are operating effectively.
Many security professionals under appreciate how important configuration/change management are to the security of an organization. This concept is often glossed over because cyber security is still viewed too much as a “bolt-on” process – meaning that the organization waits for a problem to occur to address the issue. A more effective approach is to make configuration management a core function integrated throughout the environment from the beginning. The Senate report briefly mentioned this necessity in its comments regarding a lack of a comprehensive technology asset inventory – but it didn’t quite make the logical connections.
Business Processes as a Necessary Skill for Cyber Security Professionals
A secondary reason for this problem is that the business process side of security – including change management – is often overlooked. Many cyber security professionals are a little too “security-focused” and have not had the experience or in-depth training in some of the non-security processes. The result of this education gap is an inadequate level of attention placed in the wrong areas, and ineffective security is only one of the outcomes.
You may ask – how can you bridge this gap within your own personnel and mitigate the risk of costly security issues? Start by thinking long-term when investing in your team training. Rather than sending your employees to the latest trendy security workshop – consider sending them to a more comprehensive educational program like an IT Infrastructure Library (ITIL) certification course. ITIL’s systematic approach to IT service management can help businesses manage risk, establish cost-effective practices, and build a stable security environment that allows for growth and change – making it a more worthwhile endeavor.
Key Takeaways for Businesses
So, what can your business take from this report? Start by looking a little deeper than your established security processes. Look instead at how technology governance occurs within your organization. Seasoned CIOs and CISOs know that if you’re serious about security, you’re going to be just as serious about foundational processes like configuration and change management. These areas alone are key predictor of how effective the organization will be at keeping systems secure.