Being Proactive Can Be as Simple as Giving Up a Seat at the Table
I think I speak for everyone in the IT Security Community when I say our efforts to be proactive are often met with rolling eyes, sighs, and looks of confusion. Its no secret that business units are reluctant to include Security Teams into their decisions. They view security as a pain the ass. “Security asks too many questions, Security says “No” way too much, Security adds cost, and Security slows down the implementation process” are common phrases Security Professionals hear.
I get it. I get it because a lot of it is true. I’m here so you can see it from our point of view and tell you why it’s necessary.
When you are not proactive in security, you are left with a laundry list of problems to clean up that someone else created. This creates a game of cat and mouse. When one issue is discovered and fixed, another one pops up. Its this cat and mouse game that gives the advantage to the attackers.
When you give Security a chance to be proactive, you are reducing the risk that is inherently created when you board a new system, install a new application, or interact with a new vendor.
Here are a couple reasons why you want to proactively include security into your next implementation and/or project.
Assessing the Risk
When a new project is about to kick-off, a member of the Security Team should be in the room. They will be asking all the tough questions. The questions that no one else would think to ask. “Who is accessing the data?”, “How is the data being accessed?”, “Is the data encrypted at rest and during transmission?”, “Is this going to be compliant with local and federal regulations?” These answers should be addressed prior to project kick-off.
I compare this assessment to approving a loan. Before a loan is distributed, it needs to be reviewed by a Risk Analyst to ensure the lender isn't over exposing themselves. The same should hold true for your next system or vendor implementation. Security should be part of the approval process.
Security by Design
Security Teams are faced with an ever growing list of issues to resolve. For most organization this list is impossible to keep up with. Companies often have to find out the hard way about a security risk. This can be discovered during a penetration test, reviewing logs, vulnerability scans, or, I hate to say, after a breach.
If the Security Team is involved prior to implementation, they will ensure the solution is implemented with security in mind. These solutions can include installing patches, building mitigating controls, and implementing best practices such as removing default passwords. By addressing these items before implementation you encounter less downtime while the system is in production, fewer maintenance windows, and reduced risk.
Monitoring and Scanning
Monitoring and scanning can be seen as a reactive practice, but when it comes to security, if you catch a vulnerability before an attacker does, you’re being proactive. These systems are only as good as the systems and networks they know to monitor. This is another reason why to involve your Security Team during a project. When done outside the normal scope, you are putting the organization at risk. If the Security Team does not know about your project they cannot protect your system from attack or monitor it for suspicious activity.
To be proactive in security, its as simple as giving up a seat at the table. Make an investment not only into an individual but into a culture. Stop thinking of security as a cost and start thinking of it as an insurance policy.
Next time you think about installing that new IoT device in your network… I ask you pick up the phone and give your Security Team a call to ask what they think.