[BreachExchange] How CSOs can avoid the shadow of a cybersecurity Groundhog Day

Tue Feb 14 19:34:14 EST 2017

http://www.appstechnews.com/news/2017/feb/14/how-csos-can-
avoid-shadow-cybersecurity-groundhog-day/

Every year, in Pennsylvania, people gather in droves to watch a groundhog
predict how much longer winter will last. For Americans, it’s a pretty big
deal to see this glorified gerbil pop up and look terrified as throngs of
onlookers wait in hushed silence to see whether the mighty Phil from
Punxsutawney will see his shadow.

Historically, the varmint is only 39% accurate, but in truth that’s
probably better than most human non-groundhog meteorologists.

Like groundhogs, security leadership and CSOs constantly emerge from their
burrows — excuse me, offices — and tentatively look around for their
shadows. In this scenario, it’s usually a compromise or data breach.

Once they see it, they scurry back below ground to their safe space where
they cross their fingers and hope everything blows over. They can re-emerge
once the bad weather is gone.

This plays out time and time again. Year after year, more security leaders
see their shadow. Why? Because when it comes to cyber security, people
usually face the same direction. Unfortunately, the position of the sun
(the security industry itself) typically doesn’t move much.

CSOs tend to fall into the same traps day in, day out, in an often vicious,
unbreakable cycle – sort of like the plot of the movie Groundhog Day.

Security becomes a constant game of whack-a-mole (or whack-a-groundhog, in
this case); a threat pops up, you try your best to knock it back into its
hole, only to have another appear. Then another, and another. It’s nearly
impossible to keep up. The shadow of the last breach or most recent
compromise is always there, taunting them. In the end, it leads to six more
weeks (or more) of winter (subpar security).

Attitudes toward security must shift if security leadership and CSOs ever
hope to stop staring at that shadow and break the cycle. Here are some best
practices cyber security pros can leverage to break out of the Groundhog
Day rut and improve security. It’s time to emerge shadow-free.

Be proactive

Trying to stop threats as they occur is inadequate. Eventually, you’ll be
overpowered and something will get through. Protect the network and your
apps at the edge. Put solutions in place that catch and mitigate threats
before they get in.

Defend your network and apps

Do you have adequate protection from DDoS attacks? How about the ability to
uncover threats concealed in SSL- encrypted traffic? These types of
solutions can help you avoid reliving the same attacks over and over again.

Create and enforce a strong security policy

An unenforced security policy is less valuable than the paper it’s printed
on. Hold end-users, employees and yourself accountable. Companies will
spend a great deal of time drafting security policies that ultimately go
unenforced.

Train your users

Do your end-users know how to set strong passwords across personal and
business accounts? How to use two-factor authentication? How to spot a
phishing email? Train them to be security-minded.

Think security first

So often, security is an afterthought. When you spin up apps and solutions,
security should always be among the first questions.

Test and assess

Perform tests on your network and applications to uncover any potential
vulnerabilities. Just because you haven’t seen it, doesn’t mean it isn’t
there. Regular tests can break you out of the repetitive cycle of fighting
threats.

These simple steps can help CSOs avoid seeing their shadow and getting
stuck with six more weeks (or much longer) of bad security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170214/ab5bfd92/attachment.html>