Chief Information Security Officer @Prominent UAE Bank & Vice President – ISC2 UAE Chapter.
Connect on LinkedIn
Organizations make key information security mistakes, which leads to inefficient and ineffective control environment. High profile data breaches and cyber-attacks drive the industry to look for more comprehensive protection measures since many organizations feel that their capability to withstand persistent targeted attacks is minimal. But at the same time, these organizations make some key information security mistakes, that jeopardize their efforts towards control robustness.
Although many firms invest in security technologies and people, no one has the confidence that the measures taken are good enough to protect their data from compromises. Below are the 10 worst mistakes which are common to find, and important to address in the path of mature information security posture.
If you analyze the cyber security scenarios, and organizational capabilities, the prevailing trend is a vendor-driven approach. In many cases, security professionals adopt the attitude of procuring the latest security solution with fancy features as the solution to all their problems! Also, they fail to implement it effectively, with less than 50% of the functionalities configured or used.
Similarly, industry makes many other key information security mistakes concerning cyber and data protection measures. Few of them are given below with some quick fixes, that can be important to analyze.
Mistake 1: Ignoring the fundamentals and focus on extravagant latest “toy”
Security professionals’ focus gets diverted to latest and fanciest security solutions. They keep forgetting or neglecting the basics, in this fast-paced world of marketing gimmicks, which leads to one of the key information security mistakes.
Past many incidents drive us to the conclusion that, in most cases, the attacker exploits the underlying weakness in the fundamental components of a security ecosystem. These vulnerabilities could be lack of awareness, missing patches, weak access controls, or absence of multilevel defense.
Ensure that the focus and priority are to build the basic building blocks of security, before going for extravagant solutions. Follow the security principles of Least Privilege, need to have and need to know based access provisioning and multilevel defense. Latest technology solutions may be required, but will not be useful, if the fundamentals are weak or not taken into account.
Mistake 2: Lack of holistic approach
Lack of holistic approach leads to addressing cybersecurity issues superficially. Instead of understanding the root causes for defining corrective action plans, many organizations work on to clear only the symptoms that are obvious.
The over dependency on procuring and implementing the most advanced technology to prevent latest threats is always a cat and mouse game with hackers -Thinking that cybersecurity can be achieved just by IT and fail to know about the importance of right processes and adequate awareness among the stakeholders.
When one security gap is closed, don’t discount the possibility of opening up many other vulnerabilities. In some instances, depends on the root cause, the same issue re-appears on same or different systems/areas.
Also, most of the time, closing the gap means, deploying one more security technology, without establishing the right processes or training the employees or the combination of the three.
Security design and deployment must be through right processes, technology, and people improvements. Understand the root causes of the incidents/problems and define corrective actions for continual improvement.
You may be interested in reading: How to Achieve Effective Information Security with a Holistic Approach?
Mistake 3: Lack of Adequate visibility
Lack of complete visibility of organizational processes and assets, hence become blindfolded with the security risks associated with it. Unless we know the actual full-blown layout of the network, external connectivity, controls deployed, and risk assessment reports, we may overlook critical areas and may be focused on less significant risks.
Easy, comprehensive and accurate view of the technology and business environment is exceptionally crucial for understanding and managing risks. If any area or component missed from the visibility, that may be the point of entry for the adversaries. Proper business services, process documentation, External connectivity diagrams, network architecture diagrams, linking the risks and controls to the business outcome – some of these details can give visibility to difference audiences, including the CISO, Information Security Team, and Executive management.
Mistake 4: Missing Security in business processes
It is a known fact that there is an inconsistent approach towards cyber security, by not following the controls and processes on every business activities and operations of the company. Organizations don’t give importance to this element, and Information Security experts focus on security awareness programs and process directly related to information security only (e.g., access provisioning, data classification, etc.). Although these are essential; equally important is the business process enhancement with security embedment.
Implant security in the business process, which will be the most effective control in many scenarios. Staff will be automatically following secure practices, due to the built-in process, instead of overlaying it on top of their existing business practices.
You may be interested in reading: Successful CISO – Is a Business Enabler the Need of the Hour?
Mistake 5: Ineffective change management
After designing and deploying the best security for the company and got audited and certified, if the IT team carries out uncontrolled changes without adequate security controls and reviews, then it could open up new security holes that bypass many of the measures implemented till then.
Change and Release management process must be well defined, and with security requirements incorporated along with the life cycle of the changes. Security requirements in the change and the impact of the shift in the security ecosystem in the organization must be appropriately reviewed and reassessed to confirm that, it doesn’t dislodge the security posture.
You may be interested in reading: Information Security Awareness Program – What is the Key to Make it a Success?
Mistake 6: Focus on Production Environment Only and ignore the security of Test & Development environment.
Control implementation and control assessments focus on IT Systems, and those systems which are available online (in production). But at the same time, the sensitive or valuable information may be available in test/development systems (online or offline), or in the external storages. Also, any security compromises of IT systems (irrespective of production or test/dev) could be detrimental to the network, as the launch pad for further attacks.
Unreliable security test results and certifications which may depict that the organization is secure, but in fact, the critical business data may be available without having the right security and are easily prone for unauthorized access.
Assessing the security risks, through reviews, or penetration testing & vulnerability assessment exercise doesn’t produce the expected overall outcome. Unless the inventory is accurate and include all assets belongs to the organization – online and offline, the report shall be considered as inaccurate and gives a wrong risk posture.
Collect and Compile the total inventory of services, processes, and assets, including information that should include test, development and any other environment. Any traces of data, in whichever form it is and whatever location it is, must be collected and analyzed for security risks and controls.
Mistake 7: Lack of data identification and classification
The absence of efficient classification and monitoring of information, and the dearth of enough importance given to data-centric security.
Firms must ensure that they have the full inventory of assets, which are located and classified (based on the business value of it). This database shall enable us to ensure that the right and adequate controls are in place to protect the most valuable assets on priority. All control definitions, prioritization, and implementation must be by the criticality of the assets/data in the organization.
Mistake 8: Ineffective policies – Just in Paper!
Policies and procedures become just static documents, and not adequately implemented or effective. While policies are essential for the organization, its effectiveness is equally important too. In many cases, consultants or staff do copy-past policies, that was developed for other agencies.
Considering that they are not taking into account the business scenarios, requirements, expectations, and risks appropriately, the policies may be a misfit in the organizational ecosystem. There is all chance of these policies being ineffective, create conflicts, and no buy-in due to the lack of rationale.
Policies maintained as documents, but there is no effective way of adopting it by the concerned users/departments. There is no planned and structured approach to implementing the policies, which leads to not achieving the policy objectives.
Draft policies that are relevant and customized for the business environment and security profile. Engage business and technology stakeholders and refine/tailor the policies by taking into account various internal/external factors. Develop a very structured and continual process of mapping the policies to all the concerned audience, covering its scope. Define the policy compliance check process, and ensure regular audits. Policy awareness and maximum automation, to address the user dependency of policy adherence.
Mistake 9: Lack of Authority
Establish an Information Security Function with or without a CISO, who does not have the authority, budget, resources, and reach to ensure end-to-end security. When CISO is placed in the wrong departments, with ineffective reporting lines, and without the right authority, Information Security gets the least importance and the last priority in organizational activities and objectives.
Organizations wake up after an attack or a breach to find that unqualified, ineffective and weak CISOs or no CISO at all are one of the key factors behind their losses worth of Millions! (Read recent breaches!)
In this era of communication and digital transformation, any organization must know that information security is one of the most critical functions of it. It is essential for online business and financial institutions, considering the nature of the business and threats associated.
It is more or at least equal to the Finance or Technology Departments of the organization. The authority of the CISO and his reporting line should enable him to drive the program with confidence. He should be able to take critical decisions that support the business and at the same time, secure the organization.
Mistake 10: Uncontrolled or Unrestricted Network Traffic Management
Uncontrolled and unmanaged outgoing traffic (no visibility too) with ineffective monitoring could end up in significant security incidents. In many cases, organizations tend to protect from unwanted incoming traffic but forget about the outgoing traffic.
This weakness could lead to future security compromises, attacks to another network (originates from the organizational network (may be due to infected machines – bots) or even leakage of the data as part of an Advanced Persistent Threat (APT) or data exfiltration attack.
Ensure to collect and compile data flows and traffic details – incoming and outgoing. Users are allowed to communicate to the external networks with total scrutiny and monitoring, based on business justifications. This control will help to reduce the risks, and also have a complete visibility of what is going out of the network.
About the Author
Illyas Kooliyankal is a well-known Cyber Security Expert, who currently working as the CISO at a prominent bank in UAE and serves as Vice President of ISC2 (UAE Chapter). He has won many international awards, including the ECCouncil (USA) Global CISO Award (Runner Up), ISACA CISO and Emirates Airlines CISM Award. He is a well-received keynote speaker at many international conferences in the USA, UK, Singapore, Dubai, etc. With more than 15 industry certifications and many whitepapers and articles, Illyas brings his innovative thoughts to instill effectiveness in organizational security.