Free
30-minute Technical Consultation
Investigate, Learn, Protect.

If you're looking to deploy an IDS or IPS, then e-mail consult@TopLayer.com for a free 30-minute technical phone consultation. We'll answer your questions and help you evaluate your security requirements.

1. Say “No” to new technology. Security pros often come from the ranks of the paranoid and that has turned us into technology Luddites. It is a knee-jerk reaction to think that every new technology is too risky to be useful.  Whether it’s instant messaging or wireless LANs, Web Services or storage area networks, each technology is banned before it can demonstrate its value. But many of these technologies have enormous potential for a dynamic organization, and should not be banned outright. A more logical approach is to conduct a more thorough analysis, identify the risks, determine what controls will need to be in place, and present the security case for a controlled rollout of the new technology. Ultimately, saying “no” erodes and eventually eliminates our seat at the planning table and we end up wondering “why we didn’t know [the next new tech] was happening.”

2. Assume a high security, low risk posture. Security is all about assessing risk. Our gut tells us that we want to minimize risk, but we forget about the underlying value proposition that can offset even significant amounts of risk. We fly in airplanes and drive cars, knowing the potential consequences, because the value proposition is solid. In technology, web services is in the category of higher risk, but if the reward is great it may well be worth it. Risk should be measured and evaluated from the perspective of enterprise benefits, not in a vacuum.

3. React without thinking.

4. Neglect valuation of information assets. We like to talk about how we protect our assets, yet there are huge variances within the profession about the significance and valuation of information assets. So much so that we often ignore it. Our best estimates for damages often revolve solely around productivity - the time spent responding to and recovering from an attack. We must do a better job of understanding the value of information assets to get a sense for how (or whether) we should be protecting them.

5. Focus on trees, ignore the forest. We live in a “shades of gray” world and that is particularly true with security. We can easily get caught up in specific controls without understanding how they may be offset in our larger environment. The most timeworn example is with passwords. Security pros want to make passwords as hard to guess, or brute force, as possible but often neglect the human aspect that results in users writing them down on post-it notes. Even when evaluating a specific part of the enterprise, the entire control environment must be incorporated into the plan.

It is our job to understand the potential for damage and the implications of the growth of our computing environments. Risk must be counterbalanced with reward during the evaluation. In the end, the majority of security pros play an advisory capacity with the ability to influence outcomes only through careful analysis, risk/reward discussions, and a final look at the ultimate value proposition to organizations.