- Security TWENTY
- Women in Security
Reacting to news headlines is not a cybersecurity strategy, writes Rich Turner, Senior VP EMEA at the IT compliance and access product company CyberArk.
In the era of the mass data breach, the news cycle of data security compromises and hacks seems incessant. Stories of this type can dominate the international news agenda, leading organisations to believe it’s not a matter of “if,” but instead, “when” they are attacked. They are smart to do so, because that is the reality. What’s more, the sheer magnitude of these attacks really reinforces the dire implications that a security attack can have on both a company’s reputation and its bottom line. In the context of this frenzied security climate, more and more IT teams are being rushed into knee-jerk decisions based on what they read in the morning’s news bulletin, in an attempt to protect their own technical infrastructure from a cyber attack.
This process is often known as recency bias – the tendency to place too much weight on recent events – and has beset the IT industry for decades. While many IT practitioners, especially those in security, have remained loyal to the idea that we are all perfectly astute and calculated examples of logical decision-making, the reality is that we are all human. And as a result, news publications have been able to capitalise on our fears, in the knowledge that we can’t help but consume and comment on the latest event or breach that is generating headlines. Now, while there is little danger in indulging your obsession with the story behind latest Netflix documentary, there is potential danger in basing security purchases and strategies purely on the latest security fad.
New tools and technologies constantly enter the security market. Some vendors, often founded by security practitioners, are deploying powerful systems absolutely bursting with functionality, intelligence and potential. Moreover, while the wildly innovative and nascent tools are interesting, security leaders have to provide the most security value they can – quantifiable risk reduction – across their entire organisation.
Instead of chasing headlines, IT teams should look to adopt technologies that have gained recognition from security thought leaders and influencers for their ability to reduce risk. Not only that, it is essential to contextualise risk reduction to key business initiatives happening in your specific organisation. One such technology is privileged access security. Privilege exists everywhere in your organisation, and has done for as long as administrator and ‘super-user’ accounts have been integral to the operation of your company’s applications and infrastructure. Although it seems obvious that protecting privileged access is critical to maintaining security, it was, at a time, viewed as a niche security tool or something organisations could do as an “extra” step to securing the enterprise… a “nice to have,” if you will. But industry bodies such as the NCSC now highlight privileged access management as one of the cornerstones of an effective security strategy.
If you look at the key regulations across a myriad of industries, you will find that protecting privileged access is one of the key tenets to adhere to when the auditors come knocking. PCI-DSS 3.2, Sarbanes Oxley, HIPAA and SWIFT all require the protection and monitoring of privileged users and sessions. Embarking on a privileged access security program isn’t just about checking the box to fulfil a compliance requirement however, but a key step in containing attackers.
Many of us work in high tech because there is constant innovation, and cutting edge solutions are always emerging that push the limits of computing. But pushing those boundaries also requires extensions to the IT infrastructure to be inherently secure.
Fortunately for the technophiles amongst us, there is no reason to fear. The ecosystem of privileged access security is experimenting with bleeding-edge tools, developing brand new technologies and implementing new techniques to stay ahead of the attackers. While news publications are engaged in a constant fight to produce the most provocative or sensational content and generate the most clicks, IT practitioners must ground their security strategy in evidence over emotion, to lock down access to the most privileged information and assets across the enterprise and in the cloud to only those people and processes that need them.