Professionals must respect and relentlessly deliver to the fundamentals of computer security. They provide the stability and clarity necessary to maintain an effective force and insights to the ever-changing myriad of threats and attacks.
Combining proper risk management techniques and an understanding of the rapidly evolving security landscape, provides the foundation for good compensating controls. Such mitigations are the practical measures which reduce risk. To remain effective over time, a thorough controls architecture and intelligent business process must be embraced and sufficiently fluid to adapt to changes in the threat landscape. The result can be a comprehensive and consistent security capability that stands up against a great diversity of evolving threats.
Delivering Comprehensive and Consistent Security
- Layered defense. Security must exist ubiquitously and be present anywhere data flows, is processed, or stored. It must exist in the mind of the user, the hardware and software in devices they employ, the network communication infrastructure, storage devices, and the back-end cloud or data center environments. Only protecting part of the electronic ecosystem leaves weak points that will be easily targeted. In order to be sufficient, security capabilities must saturate the environment broadly. As threats change and new attack methods emerge, the level of security capabilities for different layers must adapt and be rebalanced.
- A Defense-in-Depth methodology. A holistic and systematic approach is necessary to intersect risks across the attack-cycles timeline. It is a self-improving feedback loop to improve the entire security controls structure. By incorporating aspects of prediction, prevention, detection, and response into the security strategy, a greater set of opportunities present themselves to be more cost efficient and effective at managing risk.
- Common sense and best practices. Close vulnerabilities when it makes sense, but don’t solely rely upon this for security. Take measures to ensure survivability in the event of a crisis and cognitively choose to implement security that is smart, trusted, strong, and ubiquitous. Learn from mistakes, whether they are your own or those made by others. Communicate across peer groups to understand pitfalls and opportunities. The industry changes rapidly and security innovation, especially when tested in real world environments, can provide great benefits when applied in a timely fashion. Stay informed and apply best practices as they emerge.
Risk management leadership, understanding the shifting threat landscape, and establishing effective controls are the foundation of every great security organization. They exist as a baseline for good practices to protect against the vast majority of threats we face and are adaptable to emerging threats and methods of attack. To succeed, we must never forsake the fundamentals of security.
IT Peer Network: My Previous Posts
My Blog: Information Security Strategy