I have been working in IT security for a few years now. At my current company, I am responsible for North America IT security and am part of a small security team on a global scale. Before I started there, information security was handled by the infrastructure team. Let me tell you that this is not really a good way to handle security as that team tends to think differently. But how should information security be handled?
Information security should not be about saying no to everything. For instance, I can make any computer completely safe from malware and completely safe from being hacked. To do so, I just need to remove the network connection, keyboard, mouse, monitor… really any other input and output mechanism. Of course, that makes it completely unusable. Just like this unusable computer, security should not be about removing things. Rather, it should be about applying proper controls to mitigate the risks.
It is the responsibility of the Information Security professional to mitigate the risks of the bad actors getting something out of companies. One of the concepts of information security is the CIA Triad, which stands for confidentiality, integrity, and availability. Going back to that ultra-secure computer, the information is definitely still confidential and since it has not been used the data integrity is great but it is not available so it does not work with the triad.
I have found that groups like IT Operations tend to not think about security first. This is where the information security professional comes in by reviewing the company’s processes to make sure the data is both usable and secure. There are plenty of tools out there to help with this process. For instance, multi-factor authentication (MFA) is great because it offers more than the simple user ID & password combination. This is especially important since some people will use easy to remember passwords or even write their passwords down somewhere. By adding MFA, you can even relax the time between password changes. In fact, the latest recommendations is to not force password changes except when there is a possible account compromise.
Of course, IT does not get an unlimited budget and security tends to get only a small portion of that budget. So how does the security professional decide where to spend money? One simple method is to look at the risk versus reward scenario. For instance, putting all your budget into a really secure firewall may not be the best way to go now that employees can bring their computers on the go. If employees get their computers infected with malware while out of the office, the malware goes around the firewall when the laptop is plugged back into the corporate network. It would be better to invest in anti-malware on the endpoints so that they are protected even when not in the office. There are other products out there that can help the endpoints including antivirus, email security, and web browsing solutions.
Email is probably the most used attack vector I have seen. Why is this? Because the employee tends to be seen as the weakest part of the security chain. This is why security training is important. There are companies that sell security training and they can be really good purchases. They tend to have newsletters, games, and email packages that can be given to employees. Plus, a good internal phishing campaign can be used to test your employees. One thing I have added to my security training is a monthly newsletter I send to the employees. It is something that I write up so it costs my company nothing but my time. This does not have to be anything huge. In fact, it is better if it is short and covers only one or two topics as people tend to not have time to read something too long. For instance, I have done a few newsletters on phishing, especially what to look out for in a phishing email. I even add on a picture or two to catch the eye. I use Google to find the images. If you do that, just make sure to change the usage rights filter to Reuse. You can do this by clicking on the Tools option to find the Usage Rights menu.
Security is extremely important for companies. While it is everyone’s responsibility to keep company data secure, it is the IT security professional’s role to make sure things are secure. Tools can help but the security professional needs to be aware where to spend the budget dollars. Security training is a great way to help the end-users with being secure. There are plenty of other parts of being an IT security professional. This post is just about some of the tidbits that I have found while working in IT security. If there is anything you want me to go over, feel free to reach out and maybe I will write a blog post about the topic.