When thinking about security, people often gravitate towards implementing various security tools, solutions, or products. If you bring up a security issue or gap, somebody can usually list example products that can assist with mitigation. However, tools are not a full solution; as we discussed on our previous webinar, security consists of continuous risk management processes. Trying to secure an organization, data, or an environment is not a process that revolves exclusively around tool deployment. That’s not to say that tools aren’t part of the picture. It’s just that the tools must be managed with ongoing processes and procedures.
You Can’t Set It and Forget It
No current security products let you “set it and forget it.” The products don’t let you deploy them, configure them once, and then walk away and get continuous security and coverage. There must be some management and monitoring that takes place around those tools.
And it’s not just the alerts. It’s also true management of those products and solutions. Obviously, there’s some type of maintenance and ongoing management that needs to take place, just like any other product or tool. Just like any other software solution, there are updates, patches, and security fixes for security products. In some cases, those updates include new features which might provide new capabilities to protect against new threats or detect new threats that the adversaries are putting forward.
Security tools also need to be monitored. They often provide alerts that individually may not hold a lot of value, but in aggregate, especially with other solutions and tools, your overall risk management process provides you with the information to act.
Security Tool Configuration Need to Stay Up to Date
Your organization isn’t static. Your organization and technical environments are changing, which means the configuration for the security products and solutions also need to be updated to meet your business needs. As your business evolves and your technical environment changes, so too must your tools change to match. As mentioned, security tools can have their own vulnerabilities that need to be patched – so make sure your tools are up to date.
Security Is a Process
Security is a process; there is no silver bullet. There’s a lot to it like third-party risk management, incident response planning, disaster recovery planning, and so on. No tools solve all those problems. It also requires business input. It requires you to go through risk management processes. Therefore, tools are not the solution; tools are part of the solution, but security products are not an exclusive or full solution – the full solution is to treat security as a risk management process.
Ransomware Drives Home the Point
The one example we’ve seen repeatedly over the last year that drives home this point is ransomware. It’s so prevalent in our clients and the security environment. So many organizations had solutions to back up their systems, and they’ve had them in place for many years. However, since they didn’t manage that tool, they didn’t look at current threats / vulnerabilities, and they were still doing backups the exact same way on a Windows Server connected to the network. Ransomware often attacks windows servers and can attack and encrypt those backup servers.
Tool management includes ensuring that your tools’ configurations, architecture, and controls are still applicable and are looking at new threats and challenges. It also includes asking yourself if you need to modify how you’re using your tools to make you more secure and ensure that your tools don’t become useless in the case of a ransomware attack.
Security Requires Full-Time Attention, Dedicated Staff, and Specialized Tools
Security is a risk management process; it’s focused on business risk. It’s not focused exclusively on technology, and it’s not focused exclusively on tools. It requires full time attention, dedicated staff, and specialized tooling that’s different from what’s generally used in IT. It’s continuous risk management – not tool deployment.
If you want to defend your organization against modern threats, then ask us about our Secure by Design offering. It combines managed services with technical consulting to form a comprehensive security program that reduces risk, accelerates threat response, and decreases total cost of IT ownership – all while improving your security posture. Learn more.