What is Security About
Security is about breaking and building. Building includes resilient systems with security embedded by default and security tools helping to automate the whole security process. Breaking is about reviewing the systems trying to understand where vulnerabilities could be found and proving that they could be practically exploited using commonly available tools and methodologies.
Common Security Myths
Common approach used by business often, namely – let us address “critical few” and all our security problems will be solved, doesn’t work in security and is dangerous, because security is just as strong as its weakest link, which most likely will not be included to the “critical few”.
Other common myths related to that are:
- Our system is secure, because we’ve implemented good security policies.
- Our system is secure, because we are compliant with all regulations where our organization is a covered entity.
- Our system is secure, because we’re using the most advanced and contemporary security tools placed by Gartner to the top right quadrant.
- Our system is secure, because we’ve written a lot of code to automate our security processes and integrate them well with all our automated security tools.
- Our system can not be defeated even by zero day attacks, because we use machine learning for fast intrusion detection and prevention.
- Our system is secure, because we have the best in the world security team and researchers.
- Our system is secure, because we have implemented a comprehensive threat intelligence program and are always one step ahead of any hacker group in the world.
What is Really Important in Security
- All of the above (see “Common Security Myths”).
- Being aligned with your organization’s business needs and building adaptive security by identifying the most important threats for your business and addressing them first.
- Maturing and expanding your security tools, processes and coverage as your business grows and matures.
- Taking reasonable risks to allow business to be competitive and agile. Implementing a comprehensive security and losing competition to your peers because of that is not really an option.
- Always walking the fine line between security and usability. That’s the only thing that can make security implementation efficient.
- Being critical towards “well established” standards (think of DUAL_EC_DRBG) and “common practices” (Target was compliant with regulations and did what is “common”, but still got compromised)
- Assessing your threat posture well and understanding that your business might have specifics that others do not have. At the same time, always looking around to find solution that fit well your organization.
Conclusion
Be critical, understand that there is no “one size fits all” solution in security, look around to learn how other people and organization do it, but select only those solutions that fit your organization well. Analyze your organization’s security threats carefully before deciding what your short and long term priorities in security should be.