We’ve all worked with overconfident, cocky people. I used to work with one particularly egregious example of this type of personality. He would regularly take positions that were indefensible, make grandiose claims, and even threaten repercussions if others did not do as he wanted. When I first became exposed to this behaviour, his confidence convinced me too. Over time, I grew wise in behaviour, as I saw him withdraw from time to time with his tail between his legs when somebody called his bluff.
Why am I telling you this? As you might have guessed, we will learn from this a lesson in information security. In defence, we need to be sure that we know how to continuously reduce risk in a changing threat environment with success. We will need our clients, investors, colleagues, executives and other stakeholders to gain the trust. Having said that, being overconfident can be very dangerous in these places. In other words, a healthy dose of self-doubt will go a long way to keeping us on our toes and constantly enhancing our respective organizations’ security postures.
How could that be? I give five ways to keep the protection team alert when a healthy self-doubt does.
1. Investigating alerts: Many security operations teams have a well-defined queue of tasks, from which they tasks. Alerts shoot, tickets are opened and allocated to observers, analyses are conducted and recorded and the incident is either closed or marked for escalation or further inquiry. A healthy sense of self-doubt here can go a long way to preventing false negatives. How could that be? Here are several ways to go:
a. Before I rejoice that the warning queue is empty, am I sure I got the proper alert? If not, I will later pay for something I don’t see now. In other words, I can’t handle an event I haven’t seen and it doesn’t appear in my list for the job.
b. Before I close the warning as a false positive, am I completely confident I look critically at the warning with as little prejudice as possible? If not, my initial interpretation could impact or sway.
c. Do I do that objectively when I carry out an examination on a given alert? Am I ensuring that the facts and the evidence support any conclusions I draw? It sounds simple and straightforward but it’s really very complicated in reality.
2. Threat assessment: In an ideal world, a security team will have a firm grip on the key threats faced by their company. Such a security team will then set up defensive and detective systems to track those risks. Unfortunately, the landscape of the danger changes so rapidly that it’s almost difficult to stay out until it. A near-constant game of catch-up is required, resulting in inevitably missing some risks. Furthermore, even though an entity has a clear grasp on the landscape of danger, it can fail to enforce adequate protective and detective tests. Although technology and resource shortages are always two of them, there could be several explanations why that is the case. A protection organisation modest and self-conscious here should take action to tackle these challenges. However, if a security team is too cocky they won’t be able to do so.
3. Risk assessment: Security is in essence a specialty of risk management. Any successful protection programme maintains a risk registry and seeks continuous control, prevention, minimization and tracking of those risks. But how does an company ensure it hasn’t missed any important or vital risks? To assist with this, there are a variety of different structures and methodologies that an company can implement. But can you think what? Not one of them operates on an over-confident defence agency as well. The security team that is continually concerned about having made a mistake is the team that can minimise risk most effectively.
4. Institutional knowledge: Do you know where all your internet entry / regress points are? Do you have a strong handling of the organisation’s assets? Trust the numbers for weakness, patching, and compliance? Are you comfortable with the risk your third parties pose, and how they interact and access your business? Do you have a clear grasp on the protection and penetration testing of applications? How about Handling Identity and Access? These are only a few things in the institutional information domain but I’m sure you ‘re seeing my point right now. It may be naive to be over-confident when addressing the above-mentioned questions, and others like them. A healthy dose of fear will go a long way to making an organisation ask the right questions, answer them correctly and, eventually, understand themselves far better.
5. Policies, processes , and procedures: Does the protection software have the right policies, processes , and procedures? That includes the formal steps needed to handle the above points well, at a minimum. As you are probably aware, in this column I scratched only the top. Taking a step back and getting the patience of critically assessing and analysing the protection programme’s strengths and limitations with as little prejudice as possible pays big dividends. To encourage the change, this includes the ability to improve and the self-doubt.