[BreachExchange] Playing nicely with others is the key to security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 23 19:58:58 EDT 2016 

http://www.scmagazineuk.com/playing-nicely-with-others-is-
the-key-to-security/article/515141/

With no end in sight for data breaches, IT security is certainly
experiencing it's 15 minutes of fame at the moment but perhaps not for the
reasons it would like. This proliferation of data breaches would seem to
suggest that companies haven't managed to get their security quite right
yet so isn't it time we looked at why that might be?

There is a plethora of security solutions on the market at the moment from
IT security vendors, niche vendors and the bigger, more generalist IT
vendors. This is absolutely as it should be because there is also a
plethora of security challenges to match those solutions.  Indeed, there is
no silver bullet when it comes to security so having a myriad of choice is
great for the customer and something they should embrace. It means that
they can choose the right combination of solutions for their needs.
Unfortunately, that's a bit more complicated than it might first appear.

Security is a complicated thing and no one can blame a customer for wanting
to invest in just one technology. It means that they only have to buy one
solution and commit to one contract, which could make good financial sense.
And it means that their IT teams only need to be trained up on and manage
that one solution which might make a lot of sense from a resource point of
view. But the simple truth is that investing in just one security solution
probably means one of two things - either you're covered in one particular
area of security well but no others, or you're covered across the board but
thinly.

When you think about true end-to-end security, it includes a huge volume of
solution areas including privilege access, network access control,
firewalls, threat detection, alerting systems, mobile data security and
much, much more. For full end-to-end vulnerability management, you need
layers of security.

Embracing this concept of security layers and buying the right tools for
the right jobs is going to be what saves companies from data breaches. If
you think about a Swiss Army knife, there is a limit to the amount of tools
attached to the device before it becomes unusable and the same is true of
security solutions. There's a reason why a hammer doesn't come with a 500
page manual - because the job it does is clear for all to see, that's the
beauty of it and that's arguably why it's been around so long. We need to
adopt the same mindset for security solutions - buy the right set of tools
for your particular IT security challenges but, and this is the key to
success, make sure they integrate.

There's nothing worse than a fantastic tool that gives great insights to
the IT team but that doesn't integrate into the reporting system, for
instance, so it becomes immediately less effective. It's imperative that
whatever technologies you choose, you ensure that you can take the data out
of them and combine it with other systems to get a holistic view of your
security. The more visibility you have of something, the better decisions
you can make and the better integrated your systems, the quicker you'll get
that visibility and the quicker you'll be able to make those decisions.

One way to ensure that the different technology solutions you invest in
will work together seamlessly is to clarify before purchase by asking the
right questions of the vendors you're considering. You can also test this
during the proof-of-concept stage. But it's also worth considering
enlisting the help of a Systems Integrator (SI); they have a wealth of
knowledge of what works well together and it's their job to be well-versed
in the latest technologies. The security industry is moving at an
incredibly fast pace so it's wise to get help navigating the various
technologies and platforms available so that you can choose the correct
products and solutions for your business. And of course, making integration
central to your IT security strategy has the added benefit of
future-proofing your business as you will easily be able to add additional
tools as and when new vulnerabilities come to light.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160823/490db500/attachment.html>

More information about the BreachExchange mailing list