Blog post

Weekly Blog Post – Security Boulevard

Should hacking lead to dismissal?

Sunset in Carlsbad California

“What happened, people?

“Sir, we were hacked through the firewall again. Somehow they found a vulnerability.

“You’re kidding. How much do we play at that managed service provider you recommended!!”

“Sir, there are always more vulnerabilities than solutions.”

“What did you just say to me now!!”

Cybersecurity specialists work every day like a doctor’s hours for half the salary, but carry more burden, stress and anxiety than most professions. Protecting intellectual property, implementing adequate security, preventing unauthorized access to systems, and maintaining the organization’s security posture are always top concerns for security personnel. All company employees must have “a company-wide cybersecurity resource added” to each job description.

Having to worry about a job due to a cyberattack shouldn’t be a priority for someone working in this field.

Breaches, hacks, data exfiltrations and account takeovers will happen. Breadcrumbs were dropped on the virtual floor months before most of the attacks happened. Cybersecurity experts, including global tech companies like Cisco, Google and Amazon, have had their share of attacks. Yet, ownership of data protection, risk management, and cyber protection shouldn’t rest with a single department, engineer, or manager. Cybersecurity should be considered 100% a “team sport”. Every member of the organization must be considered a stakeholder in the fight against cyberattacks. Yet many organizations still want to silo and compartmentalize cyber and IT instead of embedding the organization into the fabric of security.

The good news, thanks to DevOps, this progression of siled mindset is changing. Thanks to the Agile movement for product development, this revolutionary mindset broke traditional IT thinking and moved from a north/south (Waterfall) model to a horizontal design. Placing all resources and workflows on an equal footing fosters a culture of “common purpose” versus the traditional blame game. Using collective sprints and workflows, smart, forward-thinking organizations interweave resources from AppDev, DevOps, SecOps, and NetOps to reduce overall risk by having integrated sprint cycles that include all domains and not only a specific task.

Organizations that have adopted the “horizontal model,” including additional training for everyone, see tighter integration of security into every phase of their product design, production, and support. Organizations that incorporate penetration testing into their ongoing security threat reduction program see fewer common mistaken attacks against their platforms.

No model is perfect. Even the most tightly crafted security models of the NSA, CERN, CIA and Bank of England will be hacked. However, those organizations leveraging the team model for better joint incident response and a combined team to learn from experience is a much better way for organizations to operate.

Pointing fingers, blame games, and playing dumb won’t stop future cyberattacks. Due to the complexity of a cyber event, employee negligence should not be an organization’s first reaction. Companies leverage audits over time and other checkpoints throughout the year to validate resources, tools, and overall company effectiveness, not just one department monitoring analytics the behavior of entities.

Word of advice. Cybersecurity professionals make more than most in a day, even on weekends and Superbowl Sunday. If these valuable resources feel the support of the organization, they are less likely to listen to offers from other companies. Security policy, all cybersecurity systems and suspect handling are a complete team sport, with everyone in the organization becoming the solution.

All my wishes,

John


Source link