Six Signs your Security Program is Obsolete

By Linedata’s Security Team

In the technology world, things get out of date fast, and a cybersecurity program is no exception. The lifecycle for an average piece of technology is three to five years. Like everything else in technology, cybersecurity programs become out-of-date as new techniques and technologies are constantly introduced. What do "best practices" even mean in a field that is just a few decades old and where technology turns over every few years? If unacceptable downtime due to malware, failed audits, and data leakage aren't clear enough indicators, then here are six more clues that your security program is edging towards its inevitable retirement.

1.     Patching is a painful one-off exercise.

For some organizations, dealing with huge security flaws means IT dropping everything and staying late at night to get things patched quickly. In a healthy organization, patching should become a routine process. This is where a clear, robust change control policy comes into place. IT should also have a good idea of what needs to be patched.

2.     You don’t know where all your stuff is located.

Good security means keeping your eye on the ball—and the ball is your critical assets. An up-to-date inventory should be available at any given time. The inventory should also outline what software and data are on each system. Inventories should also extend beyond the PC and include removable media, mobile devices, and cloud deployments.

3.     Risk analysis is just a gap analysis against best practices or audit requirements.

Assuming that you know where everything is, you then need to figure out what bad things can happen. Risk analysis should be a lot more than just reviewing a checklist of controls. It should be as collaborative, dynamic, and realistic as possible. Are business initiatives being blocked unilaterally because they are deemed unsafe without rational and quantifiable justifications? Missing opportunities isn’t what risk mitigation is meant to do. When doing a risk analysis, remember to document all of your assumptions, look for dependencies, and then keep in mind that there is no such thing as a closed system.

4.     Security policies are wordy, unclear, and no one reads them anyway.

Security policies are high-level objectives about how an organization manages risks. The goal of a security policy is that anyone in the company can read it and easily understand what they are expected to do. Technical detail and procedures are not policy—they are process documentation and should be left out of the main security policy, so they do not bog down actual implementation. Ideally, security policies should only change when risk or risk tolerances within your organization change. The policy objectives should be tied into solving business problems and match organizational activity.

5.     The IT department manages the security department as an afterthought.

Security is not an add-on. It should be baked into the actual technology based on clear guidance from the security policy. The primary job of IT is supporting the business units which means satisfying user demands, fire-fighting major problems, and implementing projects. Security is one of many priorities but should be the most important one. IT teams need to understand the importance of a solid security policy and not just address it on a case-by-case basis. There needs to be a security team in place that not only manages security issues but guides the actual IT operations. Ideally, they should be two distinct groups with different management structures.

6.     Over-focus on operational controls and under-focus on day-to-day security work.

Security personnel can often get distracted by tinkering with firewalls, anti-virus solutions, password settings, and vulnerability scanners. The reality is that security demands difficult, tedious, and repetitive tasks like inventory, incident response, risk monitoring, and threat analysis. It also requires building a well-considered security architecture, proper systems analysis, and solving and resolving ongoing business needs. A bottom-up approach for security architecture is best using well-understood sub-systems. If security spends all day focused on spam filters, they'll have no time for risk analysis and end up behind the curve.

Financial institutions are especially at risk when it comes to security breaches. If these six signs hit home with your organization, a major security overhaul should be on your to-do list.

Built with commercial lenders, small business lenders, automotive lenders and lessors, and equipment financers in mind, Linedata provides end-to-end efficiency and consistency to financial institutions.  

Linedata is a Silver Sponsor and Exhibitor this year at RMA’s Annual Risk Management Conference, October 27-29.   

Five Tips to Drive Your Bank’s Digital Transformation - from Inpensa

Read More

Adjusting Your Risk Rating System to Combat COVID-19 Uncertainties

Read More

Common Dual Risk Rating System Terms and the Importance of Documentation

Read More

comments powered by Disqus