As humans, we’re hardwired to look for the path of least resistance, for the easiest, quickest, most convenient solutions to our problems.
There are plenty of products and services out there that tap into this mindset, promising they’ll save us time, save us money, solve our issues. You know the ones. Get rich quick with our two-day course, look ten years younger with our hydra-whatdoyou-callit cream, get the toned stomach you’ve always dreamt of, without the need for exercise.
People want to believe ‘this one might just work’, but deep down we know it’s probably a temporary fix (at best) or a downright scam (at worst). It doesn’t stop us wanting to put our faith in it though.
However, for many of life’s problems, there is never going to be an easy fix. Want to get fit? You’re going to have to put in some effort. Want to get rich? It’s going to take hard work and won’t happen overnight (unless you win the lottery), that skin cream might have some positive results, but it can’t work miracles forever.
Information security fits into this category and it would be nice to believe there’s a silver bullet solution out there, a product, piece of tech or an approach that will solve all our problems. Sadly, it will never be that easy.
Security is more than a single, one-off solution
History shows that attackers are constantly developing new techniques, taking advantage of new technologies, exploiting ever-changing attack surfaces and of course, capitalising on human fallibility. No organisation, product, service or person is ever 100% secure. There will always be ways for attackers to achieve their goals, whether it be through deception, advanced know-how, brute force, insider knowledge or just sheer luck.
But that doesn’t mean that organisations can avoid the issue. Customers, and regulators, are now demanding more assurances when it comes to information security and the penalties for failure can be extremely high (think GDPR fines). Any improvement work is obviously better than none, but if it’s undertaken as a one-off exercise, or to satisfy ‘tick in the box’ requirements, then it may only act as a temporary solution, a sticking plaster covering over and missing many underlying issues.
Effective information security comes from a combination of solutions and approaches, and whilst no organisation will ever be 100% secure, it shouldn’t stop them striving to ensure their company, its staff and its customer are as protected as possible, now and into the future.
Putting in the (right kind of) effort
Improvement takes time and effort, but just putting in time and effort isn’t going to guarantee results. When there are hundreds of approaches & as many solutions to consider, it can be all too easy for organisations to use their time and effort ineffectively.
What works for one organisation won’t always work for another and every organisation will have different priorities, budgets, internal resources etc. It’s about doing the best with the time and resources you have, continuously focusing in the areas that will bring maximum benefit.
But how do you know where to focus your ongoing efforts? You need to be critical.
Firstly, you need to identify the most important assets within your organisation. Maybe it’s your customer database, it could be intellectual property, production systems, financial data or an e-commerce website, maybe it’s several assets. Whatever they are, you need to focus your attention on these key areas.
Next, you’ll want to understand the current security situation around these key assets and assess the potential consequences of a breach. What defences do you have in place, have these been tested, what potential routes may a threat take to gain access to this asset, have you secured these potential routes, what would happen if a threat were to gain access? A critical assessment of security posture in these key areas will help uncover problems and potential blind spots, helping focus your improvement efforts further.
This critical mindset doesn’t stop once priorities have been identified and work has started/been undertaken. It’s important to assess the effectiveness of any work implemented. Have the issues identified been patched effectively, can a malicious attacker still get through, what are the next steps I need to take to strengthen in this area?
To be truly effective the whole process should be a cycle: identify the key areas of concern, evaluate & understand the security posture, prioritise your efforts, undertake the work, test your work to ensure it is effective, start the whole process again.
The more effective work you put in over time, the more you improve.
Sometimes you may need a push
So, you recognise security improvement isn’t a one-off job and you know you need to put time & effort into the right areas to be effective. But even then, it can be easy for efforts to plateau. You become comfortable, you stop pushing yourself and the improvements you once saw start to tail off. You’re still in a good position, but you’re not reaching your full potential. Like many areas of life, the biggest improvements often come when we’re challenged, when we are pushed outside of our comfort zones.
The motivation needed to challenge yourself, or in some cases even start, can often be hard to come by and in this situation, many look for external support. Whether that’s from a group of like-minded individuals or an expert in the field, you often need someone to give you a push, to change up your routine, to show you new approaches and to provide the motivation & support you need to make your efforts go further.
However, this support/challenge always needs to be set at the right level to ensure you get the most from it. For example, take running, a novice runner wouldn’t benefit from joining a marathon runners’ group, it would probably break them, and an Olympic runner wouldn’t really improve their times by joining a local parkrun. It’s the same for information security, you want the challenge to be tailored to your situation.
Are you up for a challenge?
As an information security testing provider, it’s our job to challenge your information security and to fully support your improvement efforts, no matter your size, budget, security situation or priorities. It may sound daunting, but it’s only by doing the hard work you can ensure you’re making security improvements and keeping your organisation as protected as possible.
Of course, it would be nice to say that hiring us will solve all your security problems, but as you’ve heard, it won’t. We won’t save you time, we won’t reduce your workload, we may cause you pain. But that’s exactly why we’re here, to challenge you to be the best you can be when it comes to information security. As one of our clients put it “you make our job more difficult, but we like that, we know our company, and our customers, are more secure as a result”.