Security is a full-time responsibility. It’s not 9-5. You have concerns, risks, and attacks 24/7/365. Adversaries work around the clock and, therefore, security also needs to be managed around the clock.
Security-Trained Staff Need to Be Available to Respond to Security Concerns
It’s important that, when a security concern pops up, you have security trained staff who can immediately respond. You don’t want to have a circumstance where something goes wrong after hours on a Friday evening, and no one is responsible for investigating the incident until Monday morning. That gives the adversaries several days of unobstructed access to your environment. It’s important to have security-trained staff (and not just employees with an IT focus) able to respond quickly all the time.
Unscheduled Updates and Patches Also Need to Be Acted on Quickly
In addition to being able to respond quickly, you also need to realize that new threats, risks, and vulnerabilities appear daily. That requires you to be able to quickly make unscheduled updates and patches to address immediate threats because those unplanned security fixes are often the most critical. They address issues that are being actively leveraged by the adversaries to compromise organizations even as the update itself is being released. You want to be able to take timely action, not just to a general security update, but when there’s a new risk, vulnerability, or threat.
Security Must Be Top Focus for Your Security Staff
When you have people managing IT and managing security part time, security often gets treated like a secondary responsibility. For an IT leader also managing security, their top priority is supporting productive IT operations. When you have staff working from a security perspective, security must be their top focus. You don’t want someone to take a potential security issue and just immediately go down the path of the production operations side and think about security later – potentially making matters worse.
For example, say a security issue arises while your company email stops working. What does that person tackle first? Are they going to restore email services (which is critical to your organization), or are they going to investigate the reason the service went down (which could be a potential security issue)? This scenario drives home that you need two separately delineated roles, so you have people working on both in parallel. But when you try to make a single group balance those two focuses simultaneously, they’re going to focus on production first – and that will certainly put you at a much greater security risk.
Part-Time Security Creates Reactive (Not Strategic) Security
If you’re looking at security from a part-time perspective, you’re likely too focused on tactical details like tools, technologies, patches, and solutions and address security in a reactive manner. You also likely don’t have the time to think strategically and will miss the big picture. You need time to map out strategic plans for how you should address security like third-party risk management, disaster recovery planning, etc.
Now, we’re not saying that every single organization needs to have a dedicated security department, operational 24/7. That’s not always cost-effective, and it doesn’t make sense for every organization. But you need to think through how you’re managing security. You must ask yourself if you have the right skills and coverage. If you don’t, then you need to think about how you can either acquire those skills or use third parties / managed service providers and outside resources to help fill those gaps. For example, a server administrator can’t be expected to do a forensic review without specialized security training. It’s important to identify your potential security gaps in skillsets and coverage
Having, following, and managing a strategic vision of security is critical. Reactive security will leave holes in your environment. Therefore, you must look at your environment holistically and periodically to make sure that your risk posture hasn’t changed.
COVID caused huge changes to a lot of organizations; they had spent a lot of time and focus on building their on-prem environment, securing their perimeter, and then everyone left that perimeter to work from home. Those organizations had to ask themselves, “How do we manage security now?” If IT was responsible for security in those situations, they were spending most of their time setting up new collaboration systems and get new SaaS (Software as a Service) services to help enable the business. Security often was a secondary thought or priority, or even entirely neglected in many cases. IT typically sets up basic security like passwords, VPNs (Virtual Private Networks), etc. But a more comprehensive and strategic security vision is key to stay ahead of the attackers.
FAQ: What type of security needs to be 24/7 vs working hours?
There are two critical security needs that require 24/7 coverage: threat monitoring and response.
Threat Monitoring / Detection Capability
Many of the attacks you hear about in the news aren’t happening instantaneously. They’re doing a lot of different things over time, so the sooner you can get engaged from a response standpoint, the better outcome you’ll likely have.
Response isn’t occurring 24/7, but it must be available 24/7. For example, if a security issue comes up on 8:00 PM on a holiday weekend, somebody must be on call to respond whether it’s disconnecting servers or shutting the firewall down so data isn’t compromised. Now, you don’t need a dedicated incident response person, but your organization does need to know who to contact. And if that first contact person (ex. Director of IT) doesn’t respond, then who do you contact next? Time is critical, and you must ensure the right individual(s) immediately address the situation. You need a combination of monitoring of critical alerts as well as the capabilities to respond to those alerts at once. Day-to-day monitoring and managing of your environment is a key pillar of our Secure by Design offering. Contact us to learn more about it.
Security Requires Full-Time Attention from Dedicated Staff
Security is continuous risk management process, and it requires full time attention from dedicated staff who can approach it strategically. If you would like to learn more about how to minimize your organizational risk with a holistic security approach, then contact us. We will be happy to learn more about the challenges facing your organization and share with you how to address them.