The one thing that we can learn from the data breaches in the last month alone is data breaches are not caused by sophisticated hackers alone. Your next threat is not coming from Russia, N.Korea, or China. It is coming from simple misconfigurations and known vulnerabilities that have patches. This means that existing on-prem and old IT tools are not working. Many companies including Verizon, Equifax, Dow Jones, and SEC had many security tools and solutions. Why did it not work?
"I think it worked. It probably even did what it was supposed to do".
Equifax, for instance, knew about the vulnerability. A vendor had also rated them 'F' (bad!) for not patching. Verizon itself provides security services and has all the tools and knobs, but it was a simple misconfiguration that exposed their AWS S3 buckets that got them into trouble. So was Dow Jones or Deloitte that exposed their cloud data to the public internet.
You have all the traditional tools. If they are not helping you with the one thing that it was supposed to do ie.. to keep your company out of the headlines for data breaches, then the tools are useless. Toss it out.
CISOs of many companies says that they have a budget, attention from the management and even board, and tens of tech from 10+ years. However, they still have this issue of sorting out millions of IOCs coming as a continuous stream. With the acute shortage of skilled resources, these tens of tools are alerting, but are not preventing the attacks.
"You need a new approach, a new philosophy, a new user experience in tackling this security problem."
Let's just start with defining the problem. CISOs of Walmart, Uber, Cisco, and Yahoo said at a recent Structure Security 2017 conference that security is not a technology problem. It is a business problem. To be specific, it is a risk management problem. As a CISO you are not just dealing with security teams and IT teams, but also with the board, litigation, law & order, and media. Hence, approach the problem with the right mindset. Don’t throw in tools and search for skilled people.
The CISOs were suggesting to the security community to treat security as a risk management and business problem. Focus on security maturity and trend analysis than a snapshot view of security. Build the security skill set, and not hunt for them. Leverage unified platforms for IT Ops, DevOps, SecOps. Have outsiders review your security strategy through pen testing, and embrace the cloud.
The bottom line is that when you have old tools in old IT, you have a bad hygiene. It attracts a lot of bad habits and malware. Instead of fighting every year for budget and resources, be smart. Make a bold move. When the renewal time comes, don’t renew your old IT support. Take a hard look at the new approach. You may be paying more money for supporting your old IT when you include the resources too. Get a new approach that understands your need and has business models and pricing that supports you.
We have thought a lot about the new approach. We have spoken to our 400,000 customers and asked them what they and need and how. Look at our new announcements in the coming days and think about the new approach for your old, new, and future IT.