Most companies don’t do what they need to do to reduce security risks. How do I know? Because I’ve consulted for hundreds of them.
They don’t patch their most attacked programs in a timely manner, and they do a poor job of teaching their users how to avoid social engineering attacks -- the two commonsense actions that would reduce their security risk most dramatically. Instead, they push for better passwords, smartcards, digital certificates, advanced firewalls, and so on. It's all good, but nowhere near as a high a priority as the top two.
So why don’t most companies prioritize the right stuff?
The short answer is that competition for IT’s attention misdirects leaders from the biggest threats and the best solutions. Here are the security distractions that pop up again and again.
Threat of the week
On average, we are exposed to 5,000 to 7,000 different publicly known vulnerabilities each year, which works out to at least 13 different possible exploit vectors a day, day after day, year after year. It’s very easy to get pulled into having to address the latest threat of the week, especially when the media makes cataclysmic predictions and assigns the vulnerability a scary name.
The message is: Address this threat now, because if you don’t, you’ll be pwned and your company and its secrets will plastered on the front page of every major newspaper. Yet even before you can defend against that doomsday exploit, another one comes along, and the cycle begins again. There goes your bandwidth.
I had a non-IT security guy tell me the other day that anytime he needs to get an item approved, he mentions that it's crucial for closing a critical security hole. Management’s purse strings immediately open.
I feel the same way about compliance. If I can’t get money for something I need to close a critical security hole, I simply mention the specific regulation the requested item will address. Senior management is held directly accountable for compliance issues, so I almost always get attention and budget approval.
Sadly, security compliance and real security often stand in opposition to each other. Case in point: Recent password papers strongly suggest that many long-held password security “facts” aren’t as effective for reducing risk as we thought. For example, studies and aggregated statistics are showing that complex, frequently changed passwords aren’t so good; users would be better off (and happier) with simple passwords that rarely change.
Unfortunately, it will be years -- if not decades -- before regulations that require complex passwords will be revised. Who knows? By then, maybe we’ll find new, contradictory truths as the regulations change. By its very nature, compliance is always behind. Every cycle spent working on inefficient compliance hurts computer security.
Too many projects
The average company I visit has no fewer than a few dozen computer security projects in play, though everyone involved knows that only a few can be completed in any given year. Heck, I consider a company exceptional if it accomplishes a single project well, on time, and within budget.
Most of the time, everyone is involved in so many projects, none of them get done right. One of the funniest things I see is when leaders rank their projects from high to low priority, with a dozen or so receiving the top rank. If you ask them to pick the single most important project, most say it isn’t possible. Instead, you have to try your best to complete them all.
Pet projects and politics
Another resource killer is a top leader's pet project that doesn’t do much to diminish risk. Often this project consumes a large portion of the company’s budget, has way more people assigned to it than is needed, and creates recurring meeting nightmares.
No one in authority understands it and takes it on faith that it's needed. Meanwhile, the enlightened people below know the only good course for their careers is to plow ahead as best as they can while quietly complaining.
I’ve been involved with many companies where, once a project is identified as needed, it takes another six months -- if not years -- to get it approved. Recently I consulted at a very large company where getting an unbudgeted VM approved and initiated could require as much as six months.
Computer security moves fast. When a new computer security attack vector pops up -- say, a pass-the-hash or ransomware attack -- we don’t have another budgeting period to wait to defend ourselves. Defenders need the flexibility to move as quickly as the attackers.
Every company says low risk and high security determine which computer assets deserve maximum protection, but the truth is every company has different risk thresholds. For example, many companies accept they can’t patch every Oracle Java instance, despite the very high risk of not patching it, whereas others don’t allow any exceptions for any software. Some companies apply all critical security patches within days of their release; others take months.
When smart new security people come on board, it's difficult for them to survive without adopting the corporate culture. Unless new people have a mandate to effect reform, even the sharpest new recruits are unlikely to change anything.