Updated: Dec 28, 2022
Just a thought as a cyber security professional who has been in an continuous engagement of improving security postures for various organizations and industries including financial, aviation, service, power and so on over past 11 years.
Numerous voices have been heard, multiple technical jargons have been introduced and thousand of solutions have been deployed with budget shaking cost to achieve maximum security of our assets, still a fear always remain in every security practitioner, Are we there yet?
Here in this article I would like to uncover some points considering which shall help us to function a little better and justify my 'Turn Inward Security Practice'
1. Horrible Decision Making
"If we do not involve every security professional across the department who doesn't even belong to that area of expertise, you will likely to fail in decision making process."
Security decision making is often confined to highest management who have a very high level of knowledge about what is happening on the ground, hence avoid basic and real challenges which would complicate a problem even more instead of solving.
A little biasness is also observed among top management wherein statements such as " I love this product' is heard. A problem is not solved by what you love but by evaluating and testing a solution to it's core to know if this fits the best. Therefore;
Please avoid a romance with a solution. Be fair while working on a solution to a problem.
Involve as many professionals of all levels as you could. Even a dumbest question could make you think twice about your decision.
Do not be supportive to a particular favorite, instead have a sense of foreseeing the impact and effect.
If possible, keep an Information Security Bulletin page to get comments, feedbacks from everyone within the team.
2. Heavy reliance on costly products
Business infrastructure has transformed drastically over last one decade. We have seen a lot of functions and technologies introduced to makes a business do instant changes depending on their customer needs. Be it an ecommerce website offer sale or 20% discount on airfares by an airline, all of this is possible in no time using various pipelines such as devops.
I see Information Security is not picking up any pace with all these technological advancements in business infrastructures. Whenever a case study is introduced on the table, we start looking for solutions in the market using an RFI process which ends up with a purchase of a costly software or service thinking this would solve most use case problem. Now what I always recommend is to have developers and design your own software which is a few lines of code and may not be fancy with colorful UI/UX, but will meet your purpose. Therefore;
Think before you spend a huge amount on commercial product. Understand the core of a problem.
Build and develop your own solutions which may not look so fancy like a commercial product but will give you most controlled, customizable and flexible solution.
Get help from source code repositories like GitHub if needed.
Always maintain a proper environment and ecosystem for in-house solutions testing.
Do not rush, give it sometime since every problem has an interim immediate solution.
Trust me there's nothing that could not be developed in no time nowadays. Try it by yourself and see the difference.
3. Competency failure
John: "Boss! we are protected because I have installed Antivirus on all systems across." Bob: "Good Job, John!" ***Ransomware Broke Out*** Bob: "John! You said we are all protected, How did this happen?" John: "Sorry, we have not procured ransomware protection in our license."
Incompetency is the reason why such situations occur where an engineer just click 'Next' repeatedly to install a security software without proper planning, strategy, operations mechanism, documentation, policy definition, handling material and standard operating procedures in place.
This brings me to take a step back and throw some light on 'Turn Inward security practice' where an engineer has to not just understand 'What it is deploying to protect an asset' and 'What it is protecting from' but ' What they are protecting' must be the main focus.
For example, many security professionals are trying to protect a windows system using multiple crap in the market without knowing how windows internals and architecture works. Therefore;
Train professionals less on what to protect from and how to protect rather make them understand the in-out of the actual asset that needs protection.
Installation of solutions will not help unless it is optimized to it's full capabilities.
Keep testing the functioning of operators using multiple test cases and simulation exercises.
Ask questions, a lot of questions until you're fully satisfied with what you wish to hear.
That's all for now! There's a lot to add however would not like to make it lengthy for readers.
Will write version 2 soon, thank you and tell me what you think?
- Devashish Singh