- Pay attention to basic security procedures and attitudes
- Explore quantifying the risk from an insurance perspective
Most attacks on most networks could be defeated with just four key strategies according to this year’s winner of the SANS Institute 2011 US National Cybersecurity Innovation Award – Australia’s Defence Signals Directorate: patching applications and always using the latest version of the software, keeping operating systems patched; keeping admin rights under strict control (and forbidding the use of administrative accounts for e-mail and browsing); and whitelisting applications. The basis of these recommendations is that security is a behavioral problem, not a technical problem. In other words, if users don’t have the basic security procedures and the right attitude, no amount of technology investment is going to create the needed security.
So how do you, as the corporate head of governance, risk and compliance (GRC) processes, instill these key strategies into the organisation? Patching and constantly updating applications is not an easy or enviable task because corporate apps often interact with other apps that may not take kindly to patches or updates. Patching requires a lot of testing, and you risk irritating users who may find that their normal activities disrupted. Similarly with application whitelisting – many users want the right to deploy new apps to get their jobs done more expediently. Having to go through an IT department’s vetting process again creates a delay.
This gets us to the crux of the problem: how to define the business value of risk? If corporate users are made painfully aware of the possible economic losses stemming from ignoring obvious and straightforward security procedures, maybe their assessment of ‘wasted time’ will change as well. One way of doing such a calculation is to ask your insurance company to estimate the insurance premium they would charge you for indemnifying your financial losses that could be attributed to one of the above-mentioned four key strategies (you can obviously add other simple security blunders to the list).
CISOs will still face a plethora of different security risks they need to address, but wouldn’t it help a lot if such security measures were built on a reliable basic security processes and attitude throughout the company? I’m hopeful – after all, we have moved on from the security attitude of the early noughties where ‘real men didn’t make back-ups’.