As always, last week’s AISA Conference was a unique opportunity to liaise with some of the great minds of Information Security, identify innovations in the field, and gauge how the industry is evolving.
One observation from the Conference that struck me was the large proportion of Exhibitors selling the same solution – network perimeter protection, monitoring and scanning tools. When I asked how they differentiated themselves, typical answers were; “ours is faster”, “we notify in real time rather than interrogating logs,” “ours is smarter, using our unique behavioural and signature analysis,” etc.
What I found particularly concerning was that not a single one of these vendors could answer one very simple question, “How can your tools make effective data loss prevention (DLP)-type decisions if you don’t have business-defined priorities and context?”
Put simply, all of these tools operating at the network layer lack business context. I’m not going as far to say these tools are a complete waste of money, but without business context they are unable to differentiate danger from distraction, and essentially operate as highly overpriced firewalls and patch level scanners.
Some of the vendors were aware of the issue and recognised the major gap in their offering, but were completely unaware of how to solve the problem. The best answer I got was, “you need to talk to the business to get that information.” In reality, none of them knew what questions to ask the business or the process to actually gather the relevant information.
Why is there such a huge disconnect between the vendor tools and the business context?
It stems from the common misconception that as an IS Professional you need to focus on threats.
The large increase in cyber-attacks, especially, is fuelling a reactive response to try to deal with threats directly. But with thousands of existing threats and hundreds of new threats every day, a reactive approach is like trying to plug holes in a leaky bucket when more holes are being created than there are plugs available.
A common response to combat increasing threats is to hire more and more ‘fire fighters’ to put out the fires. Some larger organisations, for example, have hundreds of staff dedicated to these ‘fire-fighting’ activities. Unfortunately, they never stop to think if they are fighting the right fires.
The simple diagram below shows how threat-centric thinking can overwhelm an organisation, waste enormous resources, and still leave it highly exposed:
It’s NOT about the threat, it’s about your data
We know that threats are endless, so you need to be data-centric; focus on the sensitivity of your data and then decide what controls are needed specific to that business context. We have the methodology and tools to solve this problem, but without this prioritisation and focus, we risk spending enormous resources without protecting what is, in fact, most important to the organisation – THE DATA!
Have you prioritised and focused effectively to ensure your most valuable data is protected?!
As an IS professional, regardless of your level of experience, it’s imperative that that you have confidence that your organisation’s data is secure. Yes, it can be overwhelming, but there is no need to over-complicate the necessary processes.
If you would like a further discussion (however long or short) on how you can guarantee that your organisation has full control over its data, I’m always available for a chat. You can contact me on 03 9017 2119 or via our contact form.