5 Security Maxims That IT Leaders Should Know

Article by Rishikesh Kamat

Rishikesh Kamat of Netmagic Solutions highlights 5 security maxims that IT leaders should know and consider while making security decisions in their organizations

Hoop-la around security has been around for long. Frameworks and strategies that claim to make the security posture of organizations better have been evolving over time. Here are 5 security maxims that InfoSec leaders, chief security officers and security professionals should know and consider while making security decisions in their organizations.

The only thing more dangerous than not having security is having a false sense of security (poor deployments of security)

Most times it is the presence of processes and technology tools that give a false sense of security in organizations. Security teams go through implementation of security tools and technologies in the hope to secure their networks, data, critical assets and intellectual property.

And then there is the boasting of proponents of security experts about the "fool proof" and impressive security posture. Ultimately this will lower the guard of the organization, which is the biggest vulnerability of it all. Moreover, the reality is that in many cases these tools and technologies do not translate to improving the security posture of the organization.

In security, it is advisable to spend focused rather than exhaustively (use only those solutions that are relevant)

Nolan Jones, Director of eGovernment Innovation at NIC, USA says, "A healthy dose of paranoia is a good thing when it comes to computer security. It sometimes seems that every person with a bad agenda is trying to attack your systems (and that just might be the case)."

Although there is nothing like "too much security", there is indeed the risk of "too much trust in security". Expensive, new, improved and number of security systems does not make "too much security", in fact, it may not even make "adequate security".

What is important is to understand the business well, identify what assets are to be secured and use what is relevant. Everything else is wasted exercise and of course wasted dollars! In an environment where security spending is still frowned upon, it is pertinent to make the best use of your investments.

Digging a well when the fire has started will only leave you with a burned house(be proactive and don't wait for an incident to prove the reality of a threat)

It is true! I have seen many cases, and in my job I get a lot of organization that come to us when things have gone awry. Sometimes, very badly so!

Reactive approaches to security are rampant around us. From national security to building and airport security to network and information security, security measures are always in reaction to an event. Proactive approach by far is the best approach – although it is easier said than done. Proactive approach helps you put yourself in the attackers shoes. You will see the opportunities that the attackers are looking for, you see the vulnerabilities before an event, and will be able to patch them with solutions or tools before a breach.

Security contributes to your topline and bottom line. (Higher availability, eliminate regulatory penalties)

It is self-explanatory! If proactive security approaches can help you prevent breeches, that in itself is huge in savings considering the damage caused to organizations in terms of financial, reputational and legal issues. Compliance and regulatory scenario is another reason to quickly start changing the approach of security – regulatory and legal penalties can be avoided too.

Letting experts handle an organizations security helps increase availability of critical systems that businesses are so dependent on today. It is important to understand the top and bottom line benefits of security while putting a security plan in place.

If the carrot doesn't work, the stick will. (Compliance pressures will ultimately catch up)

As mentioned, compliance is only getting stringent. It is key that security posture of the organization plays a critical role in adhering to stringent compliance norms, especially in industries such as BFSI, Healthcare, Pharma, etc.

If the security slackens, soon the big daddy (Government) is going to get you. If the carrot of business benefits does not work, the compliance stick will do the work. And, it is to be taken really seriously today – classic example is the news about the ousted CEO of Target due to data breach at the company.