The Mistakes Organizations Make With Their Information Security Department
MISTAKE 1: PURCHASING NEW TOYS AND IGNORING FUNDAMENTALS
INFOSEC personnel are easily attracted to new toys that fix all their problems. They lack the focus on the basic theories of security when they start entertaining the grass is greener mentality based on the newest toy. The attacker typically identifies and exploits those weaknesses in the fundamentals of the security framework like systems that are not correctly patched, poor access controls, multi-level defense postures or networks that lack any sort of security awareness at all.
The Fix:
Focus and prioritize to implement the basic building blocks of security, before purchasing the All-In-One answer. Follow the security principles of Least Privilege, need to have and need to know based access provisioning and multilevel defense topology. The newest toy is useless without the fundamentals to build upon.
MISTAKE 2: LACK OF HOLISTIC APPROACH
Lack of holistic approach leads to addressing cybersecurity issues superficially or on an as needed basis. Instead of understanding the root causes for defining corrective action plans, many organizations work on the superficial issues that will only get them compliant. The assumption that merely purchasing the latest, most secure tools will keep you secure and failure to educate senior executives and shareholders is irresponsible and could be fatal to an organization.
The Fix:
Threat modeling and mitigation is intended to be an ongoing process. By fixing the issues and rescanning then repeating, you effectively address the issues that arise after fixing one issue… which in turn causes two more. Training employees to establish the more secure processes and enforce the policies to the threat modeling process will encourage a state of absolute security.
MISTAKE 3: LACK OF VISIBILITY
Lack of visibility to the organizational processes and assets will in turn hide the security risks and vulnerabilities. Unless we know the actual full-blown layout of the network, external connectivity, controls deployed, and risk assessment, we could overlook critical areas and focus on less significant risks.
The Fix:
Direct, comprehensive and accurate view of the environment is crucial for understanding and managing risks. Any area or component hidden from the visibility may be the point of entry for the attackers. P
MISTAKE 4: LACK OF SECURITY IN BUSINESS PROCESSES
In many organizations, security controls and policies are items to be checked off on a list to be compliant and not taken seriously and Information Security experts focus on security awareness programs and the processes directly related to information security only (e.g., access provisioning, data classification, etc.). Policies are often on paper only and not enforced.
The Fix:
Implement security in every business process. Employees will be following secure practices in everything they do without knowing having an option. Enforcing the Information Security policies by implementing them into every business process will make INFOSEC a way of life and not just pieces of paper.
MISTAKE 5: INEFFECTIVE CHANGE MANAGEMENT
If changes to the Production environments are made without any collaboration and management, all the security in the world will not be able to protect an environment.
The Fix:
Change Management processes MUST be well defined with security requirements incorporated along with the life cycle of the changes. Security requirements in the change and the impact of the organization must be appropriately reviewed and assessed to confirm that the changes are not detrimental to the security framework.
MISTAKE 6: FOCUSING ONLY ON THE PRODUCTION ENVIRONMENT
Control implementation and control assessments focus on IT infrastructure which are online and available 24x7 which is production. But sensitive or valuable information may also be available in test/development environments whether they are online or offline or even in the external cloud storage. Any IT security compromise, regardless of production or development could be detrimental to the network, as it could act as a launch pad for further attacks.
Assessing the security risks will never be accurate unless all environments are considered.
The Fix:
Collection of the total inventory of services, processes, and assets that include information within test, development and any other environment in addition to Production. All data must be collected, regardless of environment.
MISTAKE 7: LACK OF DATA IDENTIFICATION AND CLASSIFICATION
The absence of identifying proprietary data and classifying the level of the data so that it can be protected efficiently is an enormous vulnerability itself.
The Fix:
An organization must ensure that they have fully identified their data and classified it based on the relevant value. All control definitions, prioritization, and implementation must be by the criticality of the assets/data in the organization.
MISTAKE 8: LACK OF AUTHORITATIVE STRUCTURE
Establish an Information Security organization with or without a CISO, who does not have the authority, budget, resources, and reach to ensure end-to-end security. When CISO is placed in the wrong departments, with ineffective reporting lines, and without proper authority, Information Security gets the least importance and the last priority in organizational activities and objectives. Leaving the organization unprotected and the INFOSEC department ineffective and open for a breach.
The Fix:
Today any organization must know that information security is one of the most critical functions. It is essential for online business and financial institutions, considering the nature of the business and threats associated to have protection from every aspect of a breach of security.
The authority of the CISO and his reporting line should enable him to drive an effective organization with confidence. He should be able to make critical decisions that support the business and at the same time, secure the organization.
MISTAKE 9: UNRESTRICTED NETWORK TRAFFIC
Uncontrolled and unmanaged outgoing traffic with ineffective monitoring could end up in significant security incidents. In many cases, organizations tend to protect from unwanted incoming traffic but forget about the outgoing traffic.
This weakness could lead to future security compromises, attacks to another network (maybe due to infected machines — bots) or even leakage of the data as part of an Advanced Persistent Threat (APT) or data exfiltration attack.
The Fix:
Ensure to collect and compile data flows and traffic details — incoming and outgoing. Users can communicate to the external networks with total scrutiny and monitoring, based on business justification and least privilege. This control will help to reduce risk and have complete visibility of what is going on in the network.
