Sponsor: https://www.nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/

My opinion of security has changed. We are not keeping up.  Companies keep getting breached.

First things first, the idea and concepts of security have been around for a while.  In the most general terms, truth is we have senior industry and junior skill set. 

Our collective industry is not helping us be better.  Security product companies are coming to the market with new half solutions and big marketing budgets.  Advisory companies are coming to the table with new buzzwords and hollow concepts.  And “thought leaders” and “trusted advisors” are still trying to figure this out, and probably not giving the best advice yet.  All these things take our collective eye off the ball, cause us to loose focus, and distract us from doing well at security fundamentals.

For those listening to this unfamiliar with our space, here’s some examples what we’re dealing with:

  1. People failing to understand that IT Operations and security are completely different disciplines.  It’s like building a house, you need someone to lay out the blueprint, someone to pour the foundation, someone frame house, someone to do the electricity, someone to the plumbing.  These are not the same people.  IT Operations and IT Security professionals are not the same people.  If you want your house built to code like you want good security hygiene you should hire a security professional.
  2. Accounting firms pretending internal controls translates to good security operations.  This is a problem.  Internal control is destination, but you need a map and relevant mechanism of transport to get to you destination.  While I’m sure there are some accountants who play in security, articulating the map and which vehicle to use can be a problem and due to CPA independence rules they are sometimes prohibited from providing tactical guidance.
  3. Value added resellers (VAR’s) being incentivized to push one product over another. I’m pretty sure I’m going to get some hate mail from this, but I don’t think anyone would disagree that vendors and resellers push products to maximize their fiscal standing versus seeking best of breed when it might not be the companies best interest.  This creates a ton of confusion in security and really muddies the water, when this happens the only objective measure is price…which is always a bad space to be.

Those are some examples, but it’s not all bad.  We need stay focused though. In order for our security industry to get better we need get back to basics of good security hygiene.  I admit this is easier said than done, its going to take time to get there.  Until we do this we can’t start to think about automation because if you do crappy security and automate it, security automation will allow you just do crappy security faster.  You don’t need blockchain, if you don’t believe it do some research in European Election Security…they use good old-fashion asymmetric encryption.  If you’re getting started, or need a realignment go back the fundamentals, good policy, good security architecture, good security hygiene of accounts, etc.  When you’ve done this, then hopefully you have a good handle on requirements for security technology and you have the expertise on how the technology should work in your environment.