The plethora of recent high-profile breaches, and the funding and attention lavished on information security teams, have forced many IT infrastructure groups – those that are responsible for the company’s hardware, software, networks, data centers, and so on – to reprioritize their strategic plans and focus on information risk management.
In fact, the security group is the only part of the infrastructure function where staffing levels are increasing. So, as they think about how to occupy their new recruits and make the most of those resources, infrastructure teams should take three steps.
1. Don’t (just) focus on new technology: Infrastructure organizations continue to increase their spending on information security solutions as their primary strategy for improving security. The vendor market is offering “antibiotics”, and most people are taking them.
While advanced capabilities might seem like the natural way to fight back against threats, the fact is that most attacks today are not sophisticated, and thus don’t require “antibiotics”.
As one IT security executive from CEB’s networks said, “you have to earn the right to face an advanced attack.” It’s logical if you think about it — attackers will target your weakest spots, and most of us still have some pretty basic points of vulnerability.
2. Focus on basic security hygiene, not “antibiotics”: What we know from medicine is true also in security — many diseases can be mitigated through good personal hygiene, avoiding the need for antibiotics.
Security hygiene refers to any fundamental security activities established to protect the organization such as system patching, up-to-date antivirus, correct system configurations, intrusion detection systems, data loss prevention, and employee awareness.
Good hygiene can certainly help your company to block the bulk of attacks, but the value of hygiene is larger than that. It enables managers to improve its signal-to-noise ratio and improve visibility into what advanced attackers are doing (identifying where or when you truly do need “antibiotics”).
The first question in today’s environment shouldn’t necessarily be which security technologies should we upgrade, but where should we make sure we have good hygiene in place.
3. Turn security scrutiny into a positive: The silver lining in the string of breaches that have occurred over the past 12 months has got the attention of CEOs, boards, and business partners, who now own the technology projects that bring the most risk to companies and directly influence a large number of line-level employees that can be the source of multiple data leaks or breaches.
Now is the time to capitalize on this momentum to turn senior business managers into the champions of awareness campaigns. Take the time to refocus on making these efforts effective. Training and communications should not rely on scare tactics or technical explanations, they should contain clear, simple instructions about what employees should do in their day-to-day work.
Forward-thinking teams create effective training but don’t focus only on training as a way of driving awareness. They understand that positive and negative incentives have a greater impact on employee behavior. Interestingly, the rewards for good behavior are just as effective as punishments for misbehavior, according to CEB data, so consider that when revisiting your awareness campaigns.
Mark Tonsetic is the managing director for the Infrastructure Leadership Council and Applications Leadership Council at CEB Global, now Gartner.