In the world of security, nightmares are everywhere, and unlike Halloween season the scares never really end. But why? Why is it that we just accept the fact that data breaches, ransomware and other attacks are just inevitable? The truth is that most security incidents start with poor planning and management. This includes utilizing the wrong resources, particularly security partners that don’t have your interests in mind. So, let’s take a few moments and talk about some of the ways the wrong security partner might actually be your worst Nightmare.
Big promises and minimal effort
You should always be skeptical of security partners who make big, bold promises about what they can accomplish for your security risks and ask for very little in return. Much of this positivity about what they offer and how great it is, is just marketing. Companies want to put themselves in the best light, and a little puffery is nothing new to advertising. But some of these promises are difficult to justify when scrutinized. For example, no matter what you may hear, scans cannot be substituted for manual assessment. Penetration testing cannot be “automated” and still be considered a true penetration test. No endpoint detection software can completely eliminate ransomware, and no spam filter will block out every unsavory email.
To a certain extent, that’s OK. We shouldn’t expect security products to be perfect. Part of good security management is having a series of solutions and tasks that mutually support each other, while never assuming that any single element is foolproof. This kind of strategy is called “Defense in Depth” and is an excellent philosophy to covering your potential security risks. A good security partner will be able to give positive and direct guidance to what they can provide to you and offer advice about where other partners might be able to help.
We’ve seen true Nightmares where an organization relied too much on vulnerability scans that didn’t identify zero-day vulnerabilities or chained exploits together, leading to the horror stories you read from ransomware and data breaches. Don’t fight back against someone who is trying to murder your systems with a butter knife.
“We solve all of your security needs”
We understand that products and services can be new and exciting. They can even innovate and provide new depth to security. We should always be looking for ways to be more efficient with our security management. But it’s naïve to think that any one vendor, individual, product, or service can solve all your security needs.
The fundamental problem is that true security requires focus and effort directed towards multiple areas. Some of these areas aren’t even technical in nature, like creating good behavioral policies for staff, or engaging in security awareness training. It may not surprise you that often those who are very skilled in some of the areas of securing technology itself are not always the best when it comes to personnel management. They are just two different skills. Even for security products, some tools are more effective at handling a specific security task than others. It’s sort of like comparing a bicycle with a car. Both can get you from point A to point B, but neither is the best fit every time.
There’s a good chance that unless you have extremely limited needs, you’ll need a “security stack” in addition to people who work internally and externally on your security goals. A variety of knowledge, tools, and resources will lead to the best possible outcomes. Or you could take the Monkey’s Paw, make a few wishes and maybe things will all work out for the best.
“By working with us, you can get rid of your internal staff” / “You can leave everything to us”
Would it make sense if you decided to visit a personal trainer and the first thing they said was “if you want to get in shape, just sign up and you’ll get ripped easily”? Of course not. We all know deep down that to be great at anything, you have to be personally invested in it, both financially and mentally. Yes, you have to outsource elements of your security most of the time, but your internal staff always has to be a part of your overall security strategy. No matter how many external partners you have, you need someone to champion your security from the inside. Your staff will know the operation better than any partner ever will, especially when it comes to understanding the implications of a security incident. Good partners will certainly have advice to give on how to approach security, but their consultations will have so much more value when it is based on the operational and business expertise of in-house staff.
Coming up with a good balance between internal staff and outside experts can be a scary thing. You need a good partner in your corner who can illustrate why their services augment and support your team, rather than leave you with a false sense of security, just like all of those famous shower scenes before the knife comes out. No internal team has all of the diverse security skills like our team of ethical hackers, just like no outside consultant has the business expertise of your core staff.
Technology oriented instead of organizational focus
You might hear a vendor talk about how you need their product immediately. They may say that their product is the hidden key to security success, and that you should deploy it right away. Often, they will make these claims without really asking anything about who you are and what you do. They get into the superior statistics about their product. Perhaps it has higher levels of encryption or was rated highly from a third-party evaluator.
However, by now you may have noticed the critical flaw. What does this product do for YOU specifically? There are certainly some high end, powerful security tools and vendors out there that can do extraordinary things with cutting edge technology behind it, but is that where YOUR resources should go? This vendor may indeed provide a benefit to your security posture, but is it the best product to accomplish your goals?
It's always important when determining your approach to security to step away from the technology and think about the goals of the business. Evaluate the various incident scenarios and their consequences and determine what your tolerance is for incidents. At the end of the day, it’s going to be these factors that truly determine what security partners you should be working with. Not understanding your actual goals and business risks before implementing your security strategy is like boarding up your house while the murderer is still inside!
Lack of long-term planning
It’s very easy to focus on what’s going on right now, especially when it comes to cyber-security. When I’m talking with first-time clients about a potential assessment, they have specific aims in mind. While we do have to focus on what we need to accomplish right now, there should always be some idea of what’s next. There should always be some other move that happens after a specific security action.
For example, when it comes to security assessment, there’s the assessment itself, but also remediation and mitigation of the findings. Not only that, but your security needs will evolve naturally due to newly discovered vulnerabilities, technology that has become more or less effective, and threat actors whose techniques and motivations that will shift.
Security should be recognized as a continuous process. There’s always going to be changes that need to occur. The products and services you use today will probably not make sense in their current form three or four years from now, regardless of their effectiveness. The right partner will recognize this reality, iterate on their products and services, and be willing to tell you when it’s time to make an adjustment, even if things seem to be working.
The biggest problem with the Nightmare Security Partner is that once you have figured out you are stuck in the nightmare, it might be too late. You may already be a victim of a security incident and it’s not quite as simple as pinching yourself and waking up in your warm, safe bed. These decisions can be difficult to unravel and often these changes come at great expense. Make sure that when you are engaging with your security partners that they are truly looking out for your interests. It will help you sleep well at night knowing that your team is working for YOU.