The information security industry has changed so much since I took on my first full time security job back in 2007. It has changed mostly for the better, although I sometimes second guess all the great progress we all have made after many of the high profile breaches in the headlines lately.
After running my own IT reseller company for most of the 90s and taking on IT engineer and architect roles at Schwab for much of the 2000's, I had a naive and perhaps a different take on the field of information security back then. I always knew security was important, but I loved building things and testing out new technology even more.
In early 2007, I learned of a new security role posted on the company job boards. This was something different from anything I ever did before. I was very comfortable in my job and was good at it, but was also skeptical about taking on so much responsibility in a new field I knew relatively little about. It took me nearly two weeks to get the courage to even post for the job.
My thoughts on security back then? The first thing that came to mind was the T.J. Maxx
breach that made the headlines just a few months earlier. I also keenly remembered the first "all hands on deck" experience trying to stop the spread of the I Love You
virus that turned many companies' e-mail servers into paper weights. Or running around the building trying to find and unplug SQL Servers, hidden under desks and infected with the SQL Slammer
Other not so fun memories included the first rollout of Active Directory and those complex passwords that contained 10 characters, including special characters. How were we ever going to remember such crazy passwords, I said, not to mention having to change them every 90 days? Security is such a pain, I had thought.
My whole perception quickly changed in 2007 when I soon accepted and took on that Technical Director role in a then fledgling IT Security group of nearly a half dozen security experts. I was the least experienced in the group in terms of information security experience, but was eager to learn quickly.
Security Complexity and Information Overload
Security seems more complex (and visible) than ever before. Having attended the RSA conference
earlier this year, I visited many of the nearly 400 security vendor exhibits. I saw impressive displays of security software, hardware and thousands of security experts roaming the conference hallways everywhere you turned. It can be overwhelming and lead to information overload at times.
My first assignment back in 2007 was to learn all I could about the ISO 27001
framework to help understand "best practices" for an information security program. I booked a reservation at the SANSFIRE
conference in Washington DC to take a SANS ISO 27001 class. To this day, it was probably one of the best classes I ever took as it gives you the basic foundation of what should be included in a solid security program, nicely organized into "domains" (e.g., policies, physical security, access control, operations, etc.).
After I came back from the week long class, I was wide-eyed and eager to solve world hunger. So it seemed.
I used good old Microsoft Excel to record and map just about everything into the ISO framework. You named it, I added it to the spreadsheet - security tools, projects, processes, people, pet names, long lost relatives and I'm sure many more things I have forgotten about. It was an excellent experience as it not only allowed me to understand best practices across many different security areas, but it also gave me an understanding of where we were mature and where we had gaps that needed to be addressed. It was my first experience of assessing an organization's security controls from top to bottom. I even learned how to use a BITS Kalculator Matrix
tool to calculate operational risk for each gap that could be used to help prioritize initiatives.
It also made me think how you could easily get caught up in the details with so much information. Although I look back now and see how much progress has been made, I still marvel how the "simple stuff" often gets overlooked or ignored.
Many larger organizations spend millions of dollars on great security tools and expert security consultants. There is no doubt that the larger your company gets, the more investment may be needed. However, I would also argue that just throwing a lot of money at security doesn't mean you will solve your most pressing security challenges. Remember the old cliche, "jack of all trades, master of none?"
Whether a small or mid-sized business, I would debate the opposite of being a "jack of all trades" is true. In other words, build the foundation of your house first by "mastering" the basics before getting caught up in managing too many tools or information. Then, start layering on security controls to gradually improve security, as resources and time allow.
Startup and Small Business Security Challenges
Just about every small business or startup is faced with a plethora of challenges when it comes to investing into security safeguards to protect their brand.
Just a few small business security challenges are listed below:
- Lack of security expertise
- Not much of a budget to spend on security
- No security policies in place
- No security awareness training or program for employees
- No time available to spend on IT or security
- Potential legal and regulatory liabilities
- Potential financial penalties and brand damage
- Potential loss of third party business (due to weak security controls)
With these challenges, it is ever more important to prioritize spending in the right areas first. Keep things simple by mastering the basics.
Simplicity - Mastering the Basics
As a startup or small/mid-sized business, you should start with a security assessment to help identify security control strengths and weaknesses in your organization. Use a good security consultant if you need expertise or lack the time to conduct the assessment.
Ensure the assessment is based on a strong framework (such as ISO as mentioned previously) or strong regulatory/compliance standards (such as PCI or HIPAA). I also really like the SANS Top 20 Critical Security Controls
Leverage the assessment results to help prioritize what areas you should focus on and based on the value of your assets.
Based on the assessment results, ensure your company has all the basic core controls covered. My recommendation would be to first ensure the following areas are addressed:
Beyond the Basics
- Document and publish Information Security policies (ensure your employees understand their security responsibilities)
- Security Awareness training (ensure employees take training annually and upon new hire)
- Endpoint security - Anti-virus, patched/updated systems, etc.
- Web application security - scan and remediate your public website(s) of any detected vulnerabilities
- Access Controls - just a few are listed below...
- Strong passwords, rotate every 90 days
- Two-factor authentication for remote access, third party access or access to sensitive web applications
- Don't give administrative access to business users (by default)
- Don't share accounts used for privileged access
- Disable IDs when users leave the company
Once you have mastered the basics above, you can implement layered controls to further add "defense in depth" to improve your security posture.
I've listed just a few that are important, but it may also depend on your business and security objectives as well as budget limitations:
This is by no means a complete list, but some critical areas that you can build on.
In conclusion, it is easy to get caught up in the quagmire of complexity caused by too many tools and vendors to choose from. That's why it's so critical to start with the basics by building the foundation of your "house" first.
Remember, be secure. It's a zoo out there!
(This article was originally published as part of Securezoo Newsletters