Some people would chuckle incredulously at the claim that “we are secure”, but some people / organizations do think that. They think spending money and time, dedicating resources, implementing solutions, and establishing controls makes them secure.
You Need to Resolve Every Risk
The reality is that no organization is secure. There is no such thing as secure vs insecure. That’s not how security works. When you’re talking about maximizing security, you’re trying to resolve every single risk. The reality is that the adversaries only need to find the one risk you missed. And it may not be a risk you even knew about.
This happens frequently where there is a new vulnerability or zero day that is being actively exploited or weaponized by cyber criminals. So even if you do go through every single known vulnerability, and you mitigate or resolve those risks, what about the ones that are unknown? What about the ones the bad guys don’t even know about today, but they may find tomorrow? Unfortunately, your job is very difficult. You must address all these vulnerabilities and risks, and they only have to find that one that wasn’t addressed.
What About Third Parties?
Even if you have robust security, a big security budget, a security-minded culture, and dedicate a lot of effort to security, you still have a potential risk in third parties. That’s another huge risk area that people tend to either miss or skip.
Third parties can be vendors who have access to your environment. They can have access to your data. They may have access to work with your customers. What about software vendors? There have been significant circumstances where security software was compromised in the software developers’ or the manufacturer’s environment. The compromise doesn’t even have to occur in your environment. All these different components are part of your environment, even though you have limited to no control over them, and those introduce risk.
Not All Incidents Are Preventable
No individual security control works 100% of the time. And no collection of those security controls gives you 100% protection. Remember:
- Security is a Risk Management Process. Security requires continuous care and feeding. It’s a process you must continuously refine and improve.
- Tools must be managed, maintained, and monitored. Tools should be a part of your security posture and controls. But just having tools isn’t enough. Tools can’t prevent an employee from walking out the door with a laptop that can be lost or stolen. Tools won’t prevent every single incident. Therefore, care and feeding are essential to maximize your security posture.
- Security requires full-time attention and skills. Security must be somebody’s focus, putting your organization in the best position to prevent, detect, respond to, and recover from an incident.
Ensure you have the right processes and controls in place. Most organizations aren’t doing the basics correctly. Understanding that your environment is constantly changing, managing and monitoring detection, and having response capabilities is the key to security. To learn more, contact us today.