Governance & Risk Management , Managed Detection & Response (MDR) , Managed Security Service Provider (MSSP)
5 Things All Smart Security Leaders Need to Do Right Now
This Is What You Can Do Today to Create Immediate, Measurable Security BenefitsI joined Relativity in January 2018, right in the middle of a Chicago blizzard. Maybe it was a symbol of things to come, since the weather in the security landscape hasn't let up since.
See Also: How to Take the Complexity Out of Cybersecurity
While large organizations may receive direction and attention to navigate cyber storms, smaller organizations with fewer resources sometimes have a tougher time doing the same.
Developing a mature security program takes time, but I've met many forward-thinking security leaders who've made swift and lengthy strides in protecting their clients' data. With those lessons in mind, here are five things any organization can do today to create immediate, measurable security benefits.
#1 - Perform a Risk Assessment
Firms with more mature security approaches understand the risks they face. No matter your organization's size, conducting a risk assessment is a critical first step - whether you do it in house or hire an external firm. (Our managed detection and response provider Expel has a great post about the benefits of doing a risk assessment, along with a downloadable third-party questionnaire to help get you started.)
It may seem intimidating, but risk assessments can help you identify even relatively minor changes in organizational or employee behavior that could shrink some of your largest risks. Another important benefit? The likely reception from the C-suite when you turn security from a cost-based discussion to one based on risk.
#2 - Vet Your Partners
We learned from the Target breach in 2013 that trusting third-party partners and vendors implicitly can have disastrous results. Attackers target organizations to harvest their data, and by targeting vendors, they can exploit that relationship and bypass more difficult routes of compromise. It's essential that you conduct due diligence around third parties, ensuring their security meets your own standards and requirements.
Supply chain attacks are often a successful attack vector against organizations with a shortage of security talent - which is why it's critical to know what's at risk in your org and where to focus your efforts.
Ensuring partners and vendors are doing security correctly as you would is important. Prevent your trusted allies from becoming your greatest source of risk.
#3 - Embrace the Human Element
Phishing remains the most common attack vector - highly effective and potentially devastating. But with education, training and good technology, your organization can mitigate the threat. Teaching employees to recognize a phishing email - and how to react to one - is the best place to start.
Humans can be our greatest strength against phishing or social engineering attempts, rather than a weak link in the chain - but we must inspire and educate them.
#4 - Pay Attention to What's Around You
Once you've identified your largest risks and started addressing the basics, it's time to think proactively about staying ahead of emerging threats.
Watch what's happening at peer organizations from a security perspective. Read the trades about incidents at other companies. Talk to your peers, and attend industry events. These are great ways to learn about how others have resolved similar concerns, but also how to secure against the threats most common in your industry.
#5 - Bake Security Into Everything You Do
As the saying goes, "Security isn't something you buy; it's something you do."
Improving security posture takes time. When security is a priority, you'll see security advocates with a seat at the table for important business discussions and decisions. Mature security operations bake security into every process, including the Secure Software Development Lifecycle (SDLC). Your security team should be consulted for security impact assessments, vendor reviews, major decisions in engineering and every project that is going to affect the code and many other business decisions that need to be made.
Hopefully these tips will help you improve your security posture. And if you're looking at these five tips and saying, "I've already done that," then help others. Speak at conferences. Publish whitepapers or collaborate on a blog post with a partner. We love quoting Winston Churchill here on our team: "Our fight is hard. It will also be long. ... But win or lose, we must do our duty."