The world has spent untold billions of dollars on cyber security technologies and services. Despite this spending, cyber breaches continue. They’re getting bigger and badder. Does any of this spending do any good? Possibly, but it’s probably not giving you the benefit you think you’re getting. In fact, you probably want to first look at something else entirely. It’s a secret not many people know, but hopefully one which will get more widespread focus.
Strong cyber security is impossible to attain directly. The simple reason why is because cyber security has been, and always will be, a byproduct. It’s the result that happens when your organization has implemented strong technology governance. Attacking the security problem directly without addressing the underlying foundation won’t get you very far. Good endpoint software won’t help much if your asset management processes are broken. Hence, breaches continue to occur despite all of these billions of dollars being spent.
As an example, the big news this week is that Department of Homeland Security (DHS) just released an alert about the BlueKeep vulnerability. DHS has been successful in using exploit code to compromise Windows 2000. Really? It would be interesting to know how much money DHS spent on this. If you’re still running Windows 2000 in your enterprise, you have some bigger problems than BlueKeep. In the alert, DHS makes the same recommendations they always do. Patch your systems, use supported operating systems, only allow needed services through your firewall, etc.
Looking at the DHS alert on BlueKeep, however, illustrates the main point here on how to achieve good cyber security. The mitigations and recommendations which DHS provides are the same for this vulnerability as they are for many, if not most, of all of the other vulnerabilities out there. Guess what? They all come back to good technology governance. You know, the basics.
Cyber Security Basic Training
A key reason why there are so many breaches is that relatively few organizations operate with strong enough basic process to enable good cyber security to happen. For example, with the Equifax breach there were major problems with asset management and patch management. It wasn’t that their firewalls and endpoint security software weren’t good enough.
If a company’s information technology is well managed with solid, repeatable internal processes around hardware and software asset management, configuration and change management, and dev-ops then stronger cyber security will naturally happen.
If your internal governance and operational processes aren’t defined and solidly implemented, put your organization through basic training. Investing time in these areas will pay off. You’ll find that not only will you “automatically” get stronger cyber security as a natural byproduct, but you’ll probably get more stable systems and happier customers too.
The Challenge of Cyber Security
Things are often easier said than done. DHS security alerts are a broken record of the same recommendations made over and over again. One of the reasons why many companies don’t adopt the basics is because often the staff haven’t had any role models. Places they’ve worked didn’t have good process, so they don’t know what it looks like. They also aren’t able to appreciate the many benefits. Many tech people think things like change management only slow them down.
An understandable challenge exists for small businesses and startups. Small business often don’t have the range of positions to allow for full segregation of duties and other controls, however proper leveraging of today’s technology can make sure there are good controls in place that help organizations enforce good process.
Key Takeaways for Businesses
Any business using technology in the course of daily operations, which is pretty close to all of them, needs to understand their cyber security posture. Too often they throw money at the problem thinking the latest and greatest technologies will automatically fix things. This mistake is a big reason why things don’t seem to generally improve. Greater reliance on technology requires greater levels of governance and process in your technology organization. A stronger cyber security posture will be a natural result.