The character Dalton, played by Patrick Swayze, has a famous line in the movie Road House (1989): “I want you to be nice until it’s time not to be nice.” From this line we can learn an valuable lesson on information protection. More precisely, when to follow a plan, and when it might be time to rethink, revisit, or scrap the plan, we will read.
In security it’s necessary to have a plan. Security systems running strategically are much more effective than those not. That said, there are times when a given plan might no longer be adequate or effective. Make a schedule and stick to it, until there’s no longer time to adhere to the schedule.
How do protection organizations recognize instances that no longer make sense for the current plan? I give 10 signs that the time has come to change your plan:
1. Major Event: Huge events tend to turn the world upside down from time to time. How does a big event trigger a change of plan? The most obvious way to explain this is by taking an example that we are actually living through: COVID-19. Maybe your company hasn’t allowed remote employment? Perhaps, maybe your company had some business functions perhaps transactions that needed you to complete in person? Or maybe you had other processes and procedures that weren’t well known and that relied too heavily on interpersonal interaction? As you can see the new approach does not work in these cases, and in many others. Time to draw a new one.
2. Breach: For many compliance departments, the most important thing they’ll need to deal with is always a major breach. When the answer to the violation is over, plenty of questions still, justifiably so, emerge. How did the violation come about? What may have been the company doing to prevent it? What wasn’t working properly which placed the organization at risk? The Question List goes on and on. But one thing is for sure: if there are policies in place that have not been successful, they will need to be modified.
3. Productivity Issues: I also have to find a security manager with spare time in their pockets. This would be understatement to say the average safety team is busy and inundated. Having said that, a busy security team will achieve its targets and meet standards with proper management and preparation. When bad management and preparation contribute to problems of efficiency that continually haunt the security team, then it is probably time to change the strategy.
4. Efficiency Issues: A successful strategy should have many efficiencies built in that save time and money for the company. Nevertheless, if execution in other places is continually getting bogged down, it’s typically a sign that the security team is suffering from productivity problems. When this is the case, the effort to re-evaluate the strategy and find any areas which have become time sinks is worthwhile. Priority may be put on certain areas to maximize performance.
5. SLA Challenges: There might be many explanations why a company fails to meet its SLAs. The SLAs maybe are irrational. Or perhaps there are third parties or other stakeholders involved that present a challenge in meeting the SLAs. Or, maybe there are processes and procedures which need to alter. It’s worth understanding them, whatever the root cause, and then reassessing the strategy.
6. False positives: So many security teams are plagued by false positives. Not only does the noise from these false positives waste precious time, but it also buries the actual positive results that need to be discussed. If the detection and response workflow of an organization is overwhelmed with noise, then it is probably time to look at the detection and response plan again, especially as it relates to the creation of warning material.
7. False negatives: Negative negatives are as harmful as negative positive ones. Missing an occurrence or incident because it goes undetected is no picnic, particularly when the problem has been going on for quite a while before it is brought to the attention of the organization. When a security department is regularly notifying third parties of the problems it overlooked, it is another indication that it is possibly time to revisit the identification and response plan.
8. Remediation of vulnerability: We all know that unpatched vulnerabilities leave an enterprise vulnerable to unnecessary risk. Nonetheless, what most of us may not take the time to consider is that the company may have problems related to remedying vulnerabilities on time. Investigating and knowing why this is the case, is necessary. When the root cause has been identified, the strategy will be revisited and updated to resolve the problems as appropriate.
9. Findings Remediation: Penetration monitoring, application risk assessment, and other functions create a continuous collection of findings that need to be remedied. When remediation of these results is impossible, then it is necessary to consider why that is the case. When one or more weak links have been found, resolving those issues and changing the strategy is important.
10. Third-party risk: Third-party risk is a late, and for good reason, subject that has been common. Despite our best efforts to protect our organizations, our organizations can be exposed to substantial risk by third parties with insufficient safety postures. It’s important to consider how third party risk can be measured, evaluated, and mitigated. When you find it difficult to do so, it’s pretty likely you’ll need to look at your plans again.