[BreachExchange] Realistically avoiding a security breach 101

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 16 14:15:44 EDT 2018 

https://www.cuinsight.com/realistically-avoiding-security-breach-101.html

Enter “how to avoid a security breach” in any search engine and you will
see no shortage of opinion and advice.  Some of it salient and wise. Some
of it questionable and dangerous. This article is based on twenty five
years spent in the financial, health care and telecommunication industries
focusing on technical and security issues.  I have personally been involved
in handling three significant security breaches, dozens of reputation
affecting security events, and thousands of security incidents affecting
productivity.

Organization size and security budget applied are irrelevant to the
competency and preparedness of IT people responsible for that security.  I
have seen effective security programs on a shoe string budget and grossly
ineffective programs with big budget, corporate authority, and scores of
security people.

So, how do credit unions and other financial institutions avoid a security
breach?  Below are the hard realities:

#1.  Accept You Cannot Avoid A Security Breach.  If they want in, they will
get in.  The state of the criminal underworld’s technical expertise is as
advanced, if not higher, than government’s law enforcement and the best
corporate security organizations around the world.  Information Security is
a billion dollar industry and as long as software and people mix, security
will always be on the radar and someone will find a way to break it. The
real problem is unrealistic expectations.

Solutions

- Accept that all strategic initiatives and decisions create the potential
for security events.  Involve your technical and security teams early in
the decisioning process to walk through the risk, before investments are
made and resources spent.  There is no such thing as a zero-risk initiative
or customer product.
- Mitigate risk by developing a risk acceptance program across all
departments.  Give the program teeth with leadership involvement and
signature and review on a cadence, every three to six months.  Give
awareness to the risks up and down the chain of command so teams can
prioritize and focus safely.
- Develop an ownership culture.  Every worker owns their role and
contribution.  Then empower identified high-risk teams with ideas to solve,
give time to employ ideas, and reward ingenuity.  Give people a reason to
get the organization buttoned up and care about security versus fear and
threats.

#2.  Your People’s Ethics and Values Are the Security Risk.  Culture is
king.  Are you hiring for skills or for culture?  Are your people enforcing
the organizations’ mission and values or are you not sure?  So many
organizations hire for skill first and see culture and values as secondary
or not at all.  Without leadership, your work force will make decisions
that may not be in the best interest of your organization.  Or worse,
workers will disengage, not care, and produce at the minimal level which
opens the door for a security event.  The problem is leadership.

Solutions

- Define and communicate the organizations’ mission, values and ethics, and
each person’s contribution how it enforces culture.  Leaders need to live
the values, show the ethics, demonstrating consistency to mission and
protection of culture.
- Spend considerable time in the hiring process to ensure quality
candidates meet multiple objectives.  In many cases, not enough time is
spent recruiting talented people with the right business skills focused on
enforcing the culture the organization is building.
- Avoid omnipotent information security or technology teams.  Do not accept
convenient cessation of mission and values in the conduct of a security
event or incident.  Instead, cultivate partnership and consultation versus
negative and inflammatory rhetoric during collaboration.

#3.  Constantly Identify and Communicate Where You Are Weak.  So many
security events and incidents occur when leaders do not have visibility on
the  various states of their operation. I’ve witnessed fear in letting
senior leaders know infrastructure weaknesses, fear of being accountable,
and succumbing to political pressure for fear of losing a customer or their
job.  I’ve also seen experts hired to fix the larger issues, then
marginalized and ignored trying to raise red flags as the culture doesn’t
support reporting of defects or acceptance of failure. Last, is the
demanding of interpersonal savvy interaction versus academic debate of the
solutions to problems.  The problem is communication.

Solutions

- Change culture.  Routinely ask and reward the concept of feedback and
need for academic debate.  Leaders need to practice not just accepting
feedback, but giving feedback by mentoring and teaching business methods
and practices.
- Provide and educate on tools to help communicate and collaborate.  ITSM,
Intranet, Email, IM, Yammer, or phone number to call. Any one or all of
these tools should be available within the organization.
- Establish trust and build confidence with policies on safe harbor,
whistleblowing, and non-retaliatory behavior.  Incidents should go directly
to senior levels and managed justly against the organizations ethics and
values policies.

#4.  Operational Complexity and Inconsistency Increase Security
Difficulty.  In other words, the more difficult the infrastructure
architecture, the more difficult security incidents are to detect.  The
more entangled and complex the operation is performed, the tougher security
events are to detect! Our smartest people have a tendency to over think and
over complicate.  Everything from poorly thought through technical
solutions, quick and dirty fixes to complex problems, to trying to address
every possibility, ending up consuming hundreds of hours on the less than
1% situations.

Solutions

- Embrace and evangelize simplicity in the corporate philosophy.  Seek out
and destroy complexity with Lean or Six Sigma methodology.  Business
operations and technology teams, alike.
- Focus internal training on how your business works and reward
competency.  Everyone needs to understand the basics of the operation, the
importance of the product delivered to the customer, and the risks involved
conducting business.  If unaware of these areas, risks cannot be identified
nor can anomalous behavior spotted. Investing in operational knowledge
increases technical security people’s capabilities to catch events, else
may be disregarded as default or symptomatic.
- Measure only what is important.  Do not measure for the sake of, which is
a resource waste.  Measure for developing of the baseline so consistency in
delivery can be watched and alerted upon.  Focusing more on the myriad of
measurements and less on the consistent outcomes, the more difficult
security incidents become to detect.

#5.  Information Security is a program:  No one person or tool does it
all.  The InfoSec industry is at full throttle with the media reporting on
every security breach that affects our money, our safety, and our
security.  Wholesale consumer trust has eroded and is hot news. In
response, organizations react with security staffing, purchasing and
deployment of many security tool sets to report against security policies
written.  Some organizations expect immediate ROI, putting pressure on
security personnel to deliver assurances to business units and customers
alike. Where is the evidentiary data and quantification of information
security and risk?  How many tools or people does it take?

Solutions

- Implement security awareness education and training for everyone.  This
prevailing advice is simple and advertised for years as common practice,
yet many organizations still do not do it.  Or, they do not invest enough
to make it effective nor measure it over time with testing.
- Incorporate Information Security methods and practices into the DNA of
every Information Technologist in the department.  From the help desk to
the architect and everyone in between.  This knowledge is no longer an
“InfoSec” problem, but a business problem foremost that technology people
can help with.
- Take hard looks at what types of tools and how many before deciding what
to invest in.  Frankly, this is one area InfoSec tools has the most
opportunity to improve. So many tools are singular focused and require
other tools for analytics and reporting.  Yet, it’s easy to go nuts with
tools that only do one or two things and eat precious budget. Lean on your
security vendors to do more and provide more… with less.  Vote with your
dollars, if they don’t listen or perform.

Technology alone is not the source to blame for security breaches.  It’s
the choices made with our workforce, whether inside a credit union, another
financial institution, or any business.  It’s critical to recognize
leadership, people, and knowledge management play the pivotal role in
security breach chance possibilities.

Nevertheless, those leaders who start with these perspectives first should
heed what is said here before you focus on the technology side of the
business problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180316/ade426b7/attachment.html>

More information about the BreachExchange mailing list