In a world where nothing is 100% secure and malicious threats have the advantage in terms of time, no constraints on resources and no ethical barriers, we need to accept that ‘perfect’ security isn’t realistic. Instead, organisations need to strive to achieve a high level of confidence in their security efforts, within the resource and budget limitations they have. By doing so, they help keep themselves protected against most of the threats they face.
Having confidence in your information security is a goal every organisation should aim towards, however it’s important to recognise that not all confidence is created equal. Confidence and competence aren’t always aligned, confidence certainly needs to be more than a feeling and misplaced confidence can be dangerous.
So, how do you achieve (the right kind of) confidence in your information security?
Adopt a zero-trust approach
Zero-trust seems to be the buzzword of the day when it comes to information security. The idea being that every user needs to be authenticated, authorised, and validated before being granted access. Basically, are we sure the user is who they say they are?
This same approach, questioning everything and gaining proof, can be applied to all other areas concerning your security. Take for example external software providers. Many suppliers like to shout about the security benefits of their products, with terms like ‘real-time A.I detection’ or ‘military grade security’ used to instil a feeling of confidence in the customer’s mind. But what do the claims really mean? Can they be backed up? What risks do you introduce in adopting this software? These are questions organisations need to be asking themselves and their suppliers, helping build security confidence around these areas.
The same approach can be used internally. For example, companies may have an internal software development team, and, in many cases, security checks will fall under their remit. But do developers have the right skillset to test security in a robust manner, and could there be a danger of ‘marking their own homework’?
By asking questions, challenging claims, and seeking proof, you start to build confidence that your defences are as strong as they can be, across all areas of your business.
Put your confidence to the test
So, you’ve asked questions, challenged the claims, and sought the proof you need. You’re now confident that your security is robust enough to keep you secure against most threats. But how do you know your efforts have been truly effective? You need to put this confidence to the test.
Having an independent expert, such as a penetration tester, compliance auditor or risk management consultant, assess your work is always a daunting prospect, it’s completely understandable, but those with confidence should relish the opportunity. When you have this mindset, independent testing is a win-win situation. Think about it, either the test comes back with little to report, validating your efforts, or it highlights issues, issues which you can then use to improve upon.
It’s this mindset which sets apart the security great from the security good. They don’t see testing as a criticism of their work, rather a benchmark for their efforts, a chance to improve and an opportunity to strengthen their security confidence further.
So, the question you need to ask yourself, how confident are you in your information security confidence?
Originally published in Computing Security Magazine.