Security Program: How To Thrive?

From struggling or hardly surviving, to a fully supervised and manageable security program…

Most companies are struggling with running an smooth security program. No matter how much they are spending on that, the difference is really not that much. From zero budget to million dollars security budgets, they still do not have enough trust in their security program. Regardless of how much they are spending on security initiatives, they never really have confidence and are not expected to see positive and reliable result of their investment.

Adversaries are finding new ways to hurt online businesses every single minutes while tech gurus are creating “solutions” to address today’s challenges within months, years and sometimes decades after the fact!

We simply are only trying to survive in cyberspace, but what could we do better to thrive, in a stronger position, where the security is not a hassle anymore, and it should not be the heart of the matter too. Let’s look at some practical countermeasures:

* stick to a management system

For a moment forget about technology and tools and get back to basics. A management system could totally fulfill whatever you need in terms of handling processes and not being worried about base of your operation. You can invent the wheel again or you can choose from thousands of management systems, but first ask experts which system fits your needs or bring professional on-board to implement a system fully customized to your work flow from scratch, also believe me, without a management system of any kind and approach, you will be still at the first step after years spending your precious time, which is that “surviving” approach.

* set objectives

any project has a set of goals which are measurable and achievable. Objectives are neither like: having a more secure network…or, setup RDP filtering on firewalls…there are more like reducing current number of entry points to network…or, assessing current remote protocol insecurities…

objectives help you better understand what are trying to get from your management system, and where resources have to be focused. This topic is also related to Risk approach which I think is the fundamental and background of the management system.

* constantly measure

These are checkpoints where you can tell precisely and by evidence if you are on the track, and the more you measure and automate the process, the more you get close to a proactive system and faster accomplishing each of objectives. Through measurement you can tell of direction is write or wrong, or what is wrong or right.

* plan for corrective and preventive actions

with each measurement you need to define corrective actions if the result is not expected or the pace is slow, and the plan to enforce these corrective actions is the key to a smooth security program, otherwise you will be struggling with past actions while new ones arrive.

* be responsive to facts not fictions

computer security industry is full of fictions, and we mostly spend time and money on things which are either not important or can be tackled from root, so let me give you an example:

taking Advil when
you catch flu is just a pain killer, only for passing time without
suffering from flu symptoms, just to survive, because we do not know
how to handle flu virus in 21st century (or maybe we know
but we don’t want to disclose?!), and that is similar to running a
virus scan on your network when you get a virus infection!

Cyber security facts have not been changed since the beginning of this subject in human history, so once you know about the facts you see how it is easy to address them without Advil!

Published by Kaveh Mofidi

He starts and finishes a day for only one reason which he is so passionate about: find simple solutions for huge and complicated issues! He believes information security and computers are so fun to deal with, but the real deal is to find solution for unlimited clean energy, drinkable water, hunger, war, injustice... those are our real problems on the Earth!

Leave a comment

Your email address will not be published. Required fields are marked *