Looking at the state of IT organizations as both an observer and an insider, I’m often overwhelmed at the simplistic approaches taken by many and by the general oversights with regards to their overall security posture. In far too many cases, the CxO’s and leadership staff are heavily focused on the business aspects and less on making sure their information and transactions are secured. As I watch the day-to-day goings on behind various companies’ walls, I’ve come to realize that there’s a very dangerous (and very real) air of complacency within these environments - one that can seriously impact their businesses as a whole - and this realization drives me to continue working to evangelize security with what resources and knowledge I have, in order that all might attempt to make things better.
Complacency can be a very bad thing -
What is “COMPLACENCY”? The Webster’s Dictionary defines complacency as “self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies” Further, a second definition refers to it as “an instance of usually unaware or uninformed self-satisfaction” The key words in both definitions are ‘self-satisfaction’ and ‘unaware(ness)’, and the take away from this is that it’s never good to be complacent when your organizational security is on the line.
Self-satisfaction (that slippery slope I mentioned) -
Self-satisfaction is a very dangerous realm in terms of IT Security. True thought leaders in the industry would acknowledge that in the IT world, learning is an ongoing endeavor, a constant pursuit of knowledge and a desire to stay atop the technological curve, which often require a high level of commitment and dedication by IT staff to maintain. While it’s OK to recognize successes and to feel some satisfaction therein, one must remain focused and cognizant that each success is a stepping stone in a never-ending circle, with regards to an organization’s security posture. If one doesn’t carefully monitor the individual steps and feels too self-satisfied, they might quickly lose focus and ‘slip up’.
Awareness is paramount -
In ‘The Art of War’, Sun Tzu (a Chinese military general, strategist, and philosopher) noted the following: "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." Military leaders and their forces, throughout the world, relate to the words above in that not only are they valuable offensive strategy, but they’re worthy defensive strategy, as well. Without a consistent, well-balanced understanding (not only of your own security and environment, but also of the enemy’s tactics and methods), while some wars may be won, sooner or later there’s a strong likelihood of failure.
One can never know enough -
Recognition that “one can never know enough” in this business is key to survival. So there must come a point where self-satisfaction fades, moving back into a realization that change and action are inevitable in order to best protect one’s assets and data. Until that point is reached, companies are constantly working to maintain their balance on that very slippery slope.
Companies tend to focus on what’s in front of them, today, and are often complacent and unprepared for what tomorrow may bring. Their focus should be forward, toward what lies ahead, but they’re often still unaware of their immediate surroundings. As technologies change, as environments grow and the footprint of information spreads more widely, technical staff must remain focused on emerging threats, focused training and educational plans (both for themselves and for all users who might utilize said technologies), in order that they might be prepared for any current and emerging threat landscape. They must focus on bringing increased awareness to management to facilitate ‘buy in’ and funding, and they absolutely need to investigate opportunities to strengthen their posture.
In closing -
There is always hope and promise that positive effort, knowledge attainment and hard work can make the IT world more secure. With the right acknowledgement and buy-in, an organization’s security posture can always be bettered and continued success be maintained. My closing thought for today is the following:
“In order to maintain your balance on the slippery slope that is IT Security, ensure that awareness comes before self-satisfaction and complacency, lest you slide off the edge and fall to your demise.” - Tim Everson (me)
No comments:
Post a Comment