Quick assessment of a company’s security posture
It is important to understand that a component of an effective security program is the security posture of the vendors that are part of your ecosystem. Thus it a good idea to evaluate the security posture of each vendor and understand the risk that they bring to your organization.
You should understand this for your own personal exposure.
There were two recent events that led me to form these thoughts. One was a breach of 143 million citizens’ records by a credit reporting agency, and another by a ride-sharing service.
Three things that are important to evaluating a company: the company culture, the technical competence of the company–top to bottom-and the depth and quality of the security team.
Many of the threats faced by the organization connected to the internet are often unsophisticated. Phishing is a great example. Automation solutions help identify some fraction of phishing emails, but highly-targeted ones come through.
The recipient of a phishing email is an important component of phishing defense. If it looks suspicious, they should know, to let security know. This would be part of security awareness training: watch for things that are unusual.
This is turning the employees of the company into sensors.
If the employees are engaged with the business of the company, this will be done with more enthusiasm and care. Employees who care about the company values are going to be good sensors.
The tone of the culture is set from the top, and reinforced by other management. If it is known that the phishing emails that go to the CFO from the CEO to transfer money are dealt with promptly and properly by those executives, this will serve as an example for the rest of the employees. This adds them to the arsenal of security defense.
Technical competence, top to bottom
Since we are all connected to the web, we need to understand how this stuff works. For example if you stand up a domain for stakeholders that is not part of your well-branded domain and make up a totally new one, you should know that this is not under the same level of control for you as a fresh domain. Maybe a hacker stands up one that looks like yours, but flips two of the words. And maybe your social media staff improperly tweets that site as where to go to fix their credit. If it is “too hard” to put that as part of your proper domain, then you might be short of the technical chops to connect your stuff to the internet.
And there is the matter of patching.
One ongoing responsibility if you are attaching your stuff to the internet is to be sure that all the software components are up-to-date. All vendors of commercial software and makers of important open-source software make available patches in the event that vulnerabilities come to light in their software.
So if you stand it up, you need to be able to patch it. If it is too hard, you are either not budgeting enough staff, or you have a skill mismatch.
Having a great security team
If your company has hundreds of millions of stakeholders, you are likely to have a security team. Here are some skills you need to have on that team:
- Application Security
- Vulnerability Management
- Live monitoring
- Security Awareness training
Perhaps you have heard rumors of a shortage in qualified front-line security personnel. You’ll need to be clever and creative about hiring and training. Or be prepared to spend more than you might expect to properly staff the team.
Recruiting, training and motivating security staff will present some challenges.
If you are successful in building a great security team, and you don’t have a good culture or if your company is allergic to technology, the best security team in the world won’t help you.
For more information, give us a call.