[BreachExchange] You deserve what you tolerate: Why companies must enforce security standards

[Audrey McNeil]

http://www.zdnet.com/article/you-deserve-what-you-tolerate-
why-companies-must-enforce-security-standards/

After reading through some security blogs and strategy papers, I saw what
appeared to be an underlying theme across the narratives I'd read: Security
tolerates failure.

It's understandable that it happens, but I think if we are honest with
ourselves, it happens because of a collective acceptance that close enough
is good enough. It can be easy for any of us to offload responsibility when
so many things aren't in our control, and we can feel powerless because of
it. In almost every instance I read about, I saw leadership and technical
security folks pointing fingers at all kinds of issues, but I hardly ever
read about any of them taking ownership -- or even acknowledging
that security earned this failure. The bad things did not happen through
osmosis; no evil hacker just magically jumped into the network. Failures
occurred because of a series of bad decisions, poor strategy, and a lack of
enforcement of well-known security practices.

Let's think about this for a second: You deserve what you tolerate. What
does that message mean in the context of cybersecurity and security
operations?

If companies collectively turn a blind eye to lackluster security policies
and don't bother to enforce the standards that were put in place solely to
defend their networks, these organizations deserve the bad things that will
inevitably occur because of those decisions. If companies do not wish to
enforce a user policy because users gripe about it, again, they deserve the
work and stress that comes with the imminent breach headed their way. If
companies tolerate vendors selling them technology that comes with default
hard-coded back doors and lack ways to technically control or patch that
device, it can't be surprising when  it becomes an IoT threat to the
network and every other network on the server.

Here is the first half of the hard part of accepting failure that comes
from tolerating it -- this takes accountability and willpower:

Tolerating overhyped technology means we won't get what we deserve (or what
we paid for).
If we don't enforce our policies, we let down our users, our leadership,
and shareholders.
If we don't align our strategy with the business, we can't be surprised
when we aren't involved in decisions and our initiatives are sidelined.

We should take steps that will help us stop failing and stop tolerating
anything less than victory. There is only one thing to do: raise the level
of expectations.

Here is the hard part -- organizations still have to actually do it. There
is no AI that will help here:

If companies have a user policy that says "we monitor your activities and
we are watching what you do on our network," they must enforce it.
Don't accept smart devices into networks without having a plan in place to
track and patch that item.
Make the C-Level team realize that security is not just a part of the
business: It's critical to its success in today's world. Don't take a back
seat.
Analyze and understand the nuances, technical needs, and implications of
any technology your team is considering using. Don't just move forward with
a POC and think it's all going to work out (it won't).

That goes for the good and the bad. The choice of whether the results lean
more toward the positive or negative are up to us and how much failure we
are willing to stomach before we flip the script and move decisively away
from tolerance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170824/4909bee2/attachment.html>