One element of security that will remain the same is its constant need to evolve. Granted, many other elements of a business go through similar processes, but not at the same speed.
The security landscape is constantly changing, and as Michael Conway of Renaissance mentioned, the definition of normal is one that’s always changing.
“Normal is evolving,” he said. “What’s normal today is not necessarily normal tomorrow, and what’s abnormal yesterday might be normal tomorrow.”
It’s worth remembering this with regards to security as the field is continuously changing. New threats, old threats and variations on both are now significant considerations in the landscape.
“It’s checks and balances,” said Conway. “It’s trying to determine what’s normal and what isn’t and then also what’s relevant and important. Because something might be abnormal and you might think that’s a bit strange, but there are bigger threats to look after.
“You have to look at [everything] and say: ‘There’s something wrong there but it’s not necessarily malevolent, it’s not necessarily critical or a huge concern, but this thing here, that’s where we have to focus’.
“That’s what you have to determine because everyone has to prioritise. If you prioritise [certain security measures, it can] mean certain things potentially left insecure, but you can’t have 100 per cent. There’s no such thing.”
Part of what makes this a tough problem to deal with is that the idea of parameters that you can lock down doesn’t really exist any more. With the number of endpoints increasing significantly thanks to more devices and services being connected, an integrated approach is really the only way to go.
“The thing is that there are no parameters,” Conway said. “There are multiple devices so everything has to be protected to the point. You also have to look at the integration of everything, the consolidation of everything, the ability to understand and interpret the data that you get back in.
“We’ve seen all those sorts of messages [about complete security] around, and they got knocked out a little bit because people don’t understand there is no such thing as complete security.”
Since there’s no such thing as complete security, a degree of prioritisation needs to be implemented. Determining what parts of your business are high risk and which ones are medium risk and low risk is important as it shows you and those in the business what should be dealt with first.
There’s no point getting over a hundred alerts if they all carry the same weight. Some will be a higher priority than others, says Conway, and in some cases, fixing the big ones can help deal with the smaller ones.
If you can interpret the data you have, you can spot trends, processes and dynamics that can help you with your decisions.
“There’s no point in me giving you 100 things to do, saying: ‘Here are 100 things to be fixed’,” Conway said. “You’d just go away [and] ignore it.
“But if I give you 100 things to do and say if you take these two or three things, that’s addressing 80 per cent of those issues as they’re also the significant ones. The interpretation of that data, the consolidation and the automation of it are really important.”
That interpretation is important because, as mentioned earlier, what’s defines as normal can differ from company to company. The same thing applies to risk management: what could be defined as risky behaviour in one place could be acceptable somewhere else.
It’s the type of threats you face and the measures you have to take to avert it that will determine the type of integrated approach you take.
Since the definition of normal is always changing, your strategy must evolve to cope with that. One of the biggest fallacies a company can end up believing, said Conway, is that whatever worked before will work now.
Something that may have worked two or three years ago will probably have to be reviewed, determining whether it’s able to keep up with the demands of modern businesses place on these tools.
“There are different challenges, and one of them is saying it worked for us before so why should it work again because the environment has changed, I would argue,” he said.
“The other one is: ‘We’re spending this amount a year so we can’t afford to spend any more’. I’d argue that you should stop looking at what you’re spending, and look at what you need to be putting in place.
“You might actually spend less money, you might spend more, but where you spend it and how you spend it is the important part.
“It’s making those decisions and making sure you are doing the right thing. So if you put in a defence that was then acceptable, and usable and workable two years ago, absolutely it should be fully reviewed now.”