Take The Bruce Lee Approach To Security. Stop Flailing Away And Focus.
Talking about his approach to perfecting his life’s work, kung fu master and movie star Bruce Lee said, “It is not a daily increase, but a daily decrease. Hack away at the inessentials.”
Believe it or not, less can be more in securing your business too. In the increasingly connected world, it is impossible to defend everything. That is why more businesses are adopting a risk-based approach to security, where they focus security investments by identifying risks to key assets. Some assets get more protection than others. It is all about priorities.
Risk management best practice es are for the entire enterprise, not just the security and risk teams. In the connected world, a risk-based security model is more than a good idea. It is an urgent necessity.
Put on your risk mitigation hat.
The shift from whack-a-mole security to risk mitigation has been gaining momentum over the past decade. Along the way, best practices have emerged.
Chief among them is a model of security risk built on likelihood and impact. What is the likelihood of a business asset coming under threat? If the threat becomes a destructive reality, what is the potential impact? Answering these questions helps allocate limited resources to the never-ending job of guarding your bottom line. Looking at security through the lens of risk, your organization will come to see it as a business problem, not just a technical challenge.
“Security is everyone’s job”—it’s time to live the cliché.
These days, many large enterprises have a Chief Risk Officer (CRO), who takes a holistic view of security risks. Increasingly, the Chief Information Security Officer (CISO) reports up to the CRO, not to the head of IT.
Forward-looking companies also have a security and risk council, represented by senior leadership across all departments. Together, they identify risks and assign ownership of mitigation efforts. It is a company-wide effort, not just the job of the security team.
For example, it is well known that employees are one of your biggest points of vulnerability because they are targets of phishing and other social engineering tactics. Executives in accounting, marketing, and elsewhere need to spread the gospel of security to lower risk.
At the same time, security professionals should be held accountable for communicating better. When the CISO or CRO presents to the leadership team or board, the information must be clear, not overly technical, and most importantly something they can act on. A report by Bay Dynamics, a leading threat intelligence firm, shows that nearly 60 percent of board members believe security executives could lose their jobs for failing to provide actionable intelligence.
In the connected world, prioritizing security is crucial.
Earlier, I referred to the prioritization in risk-based security in terms of “less is more.” That is actually only half true. Yes, you’ll stoutly defend a smaller number of business assets. But think about what it takes to safeguard just one valuable thing in a world where everything is connected to ever more things.
For example, Neustar’s recent report on DDoS attacks shows that 82 percent of companies adopting the Internet of Things (IOT) have been hit, versus 58 percent of non-adopters. Inevitably, more connections mean more risk. Protecting a corporate asset involves more thought, investment and execution than at any time in history.
Consider what happened to Target, just one of many high-profile victims of data breaches. The retailer’s 2013 breach is notable for how the crooks pulled it off. You may know that they stole network credentials from a third-party vendor, in fact a respected refrigeration, heating, and air conditioning vendor that had done a great deal of work for Target and other top retailers.
The HVAC system. That is a connection most people would not have considered when planning how to protect the most valuable asset of all, their customer’s information. Ever since, the security world has been rethinking the concept of “points of vulnerability.” Those points are multiplying exponentially. That’s a solid case for setting priorities and delivering on them well.
Though the world of infinite connections seems daunting for security, you can succeed—enough of the time—with a risk-based approach. It will help you choose your battles and be better prepared to win.