In this week’s webcast, our panel of security experts took the time to reflect on the past year and discuss their 2015 Security New Year’s Resolutions. For this discussion Trey Ford, Global Security Strategist at Rapid7, and josh, VP of Information Security at Rapid7 were joined by Andrew Plato, President/CEO at Anitian, Chris Calvert, Senior Strategy Manager – Red Team and Cyber Threat Intelligence at TELUS, and Bob Jones, Information Security Manager at City of Corpus Christi, TX. The panelists spoke about lessons learned from the past year, best practices to implement going forward, and each person’s top 2015 security initiatives. Read on to learn the top takeaways from this lively discussion:
1. Security is an enterprise problem, not an IT problem – 2014 was the year that security became a topic of conversation in board rooms and dining rooms through a steady stream of public events. Higher ups are more receptive than ever to hearing from security practitioners, and general awareness about security as an issue that needs attention beyond compliance is high. We should take advantage of this by ensuring that users are educated about steps they should take to protect themselves and that security professionals get included in the first stages of business decision conversations. If they're brought in too late they can be seen as a disruption to progress, or worse, issues can slip by without notice from security. Executives are realizing that check box security isn't enough, and security professionals need to seize this opportunity to partner with leaders and keep security top of mind.
2. Be smart with your budget – Now that many boards and executives are paying attention to the issue of security, and in some cases allowing for more budget to support security programs, security professionals need to be very smart about how they manage their money. Throwing more money and more tools at an issue won't solve any problems. Tools alone aren't enough - you need to understand what the problem is and have the ability to do something about it. Security teams need smart people solving problems creatively, and to hold their security vendors accountable to consistently provide value and improve a team's ability to reduce noise to something manageable. The technology and controls in place need to work for security professionals to get them the data and insight they need, and if processes and policies aren't working, we should get out of our comfort zones to update and change them.
3. Nail the fundamentals – More than anything else, the extreme importance of working to perfect security fundamentals was hammered home during this discussion. It is dangerous and ineffective for security professionals to get ahead of themselves, especially with many major breaches still occurring through simple avenues. Security teams must know exactly what systems they have, how many are running in their environment, who should be accessing them, who owns them, and what normal behavior looks like on each system. They need things like defense in depth, multiple layers of controls, configuration, change, and vulnerability management to start. These are the building blocks to anything a security organization needs to get done (for more details on security fundamentals check out the webcast recording), and these fundamentals need to be successfully managed for a company to become mature and think about adding in more complex solutions. Security professionals must practice doing the common uncommonly well.
4. Assume breach! – When it comes to being breached, it is not a question of if, but when! Have a breach response plan, and don't assume that because things are quiet you are safe and secure. Always assume the next attack is looming so you are ready and aware when an incident occurs. By operating on an "attackers will find a way" premise you can focus on making sure the attacker's mobility is limited and quickly identifiable once they've entered your environment.
To listen to the full discussion and learn about each expert’s 2015 security initiatives view the on-demand webinar now.