Ever get the feeling that your business-as-usual (BAU) mentality might get you into trouble? If you do and you’re in cybersecurity, you’re not alone. This feeling is not without good cause; organizations are not prepared to deal with severe and frequent cyber-attacks.
Lockheed Martin recently sponsored a Ponemon Institute survey of 678 US IT and IT security practitioners who are familiar with their organizations’ defense against cybersecurity attacks, and have responsibility in directing cybersecurity activities. When asked about the challenges to achieving a strong cyber defense, 75 percent of respondents say they see an increase in the severity of cyber attacks experienced by their organizations and 68 percent of respondents say they are more frequent. However, a smaller percentage of respondents (53 percent) say launching a strong offensive against hackers and other cyber criminals is very important to their organizations’ security strategy.
These survey results beckon the question that has evolved as the conversation has become within our organizations, are the investments we’re making in corporate America truly protecting us against today’s sophisticated adversaries? Another way to look at it is to ask “how can we be sure that the measures in place will protect us, or only provide a false sense of cybersecurity?”
In order to answer these questions, organizations need to avoid three common BAU-associated pitfalls.
#1: Alerts equal security:
“Things that go bing” is another way of phrasing this common pitfall. Security Operation Centers often seem packed with technology that are meant to alert us when bad things are happening. Traditionally organizations have bought (literally bought) into the idea that there is a mix of technologies that can be plugged into the network to find all the potential issues. So they invest heavily in tools “that go bing” to defend their network. This is what we call a vendor-driven response model.
To avoid this pitfall, understand that there’s no such thing as a silver bullet for cybersecurity, you can’t buy your way out of insecurity, and the traditional set-it-and-forget-it approach doesn’t work.
#2: Nightlight equals security
A short disclaimer: your staffing plan is up to you, and we’re not saying that you need 24x7 staffing. In fact, 24x7 staffing doesn’t always mean you’re covered. Often paying a person to stare at glass overnight can cause an organization to overestimate their security maturity. In avoiding this pitfall, ask yourself:
#3: The pre-existing framework equals security
Some organizations believe that the process of reacting to alerts is a framework. Essentially they wait for something bad to happen and then react. So whether this is a planned strategy or just the reality of your current operations – not having an evolved, sustainable and scalable framework is a pitfall that plagues many organizations.
In mitigating this process, make sure you flesh out the processes behind how the technology and people aspect of your security will function. Map your tech environment, document roles and relationships, research and mirror other frameworks, and educate and train your staff to follow and understand your framework.
Most importantly, acknowledge that a framework in and of itself does not equate to security. It should be merely seen as a map that leads to a more secure posture. Your job should be to ensure that you’re map is as detailed and robust as possible so that you’re cybersecurity approach doesn’t get lost in the woods.
In many ways we can never fully avoid the feelings associated with a business-as-usual (BAU) mentality. But by following these tips, we can avoid three common pitfalls associated with BAU thinking and remove much of the threat of cyber-insecurity.