Most all of the headlines these days continue to include information and talk about “data hack this”, “hacker that” and which security solutions are the “crown jewels”. Because of the sustained awareness of security, you too are looking within your own realm of responsibility at work and at home in an effort to keep you, your customers and your employer safe from cyber criminals. However, I am noticing there are STILL a significant number of people and companies out there that are just simply doing nothing but “checking the box” and saying: “well, I identified the issue” or “I told someone there was an issue”.I define “checking the box” as having security complacency. There are many reasons why individuals and companies have become complacent, but lets first define complacency according to dictionary.com - a feeling of quiet pleasure or security, often while unaware of some potential danger, defect, or the like; self-satisfaction or smug satisfaction with an existing situation, condition, etc.
Lets now take a closer look into some of the top reasons why technology and business sector employees likely have security complacency while keeping in mind that these employees make up “the company”.
Am I aware of what’s going on around me? Far too often we get so involved in our day-to-day tasks keeping the lights on that we forget about the bigger picture. This is far too common in people that have some operational and support responsibility. Merely working the next trouble ticket and keeping their boss off their backs that they forget to look up at what’s going on around them. You don’t just have to be an individual contributor to get into this heads-down approach – I’ve seen this behavior demonstrated by senior managers. Look up at what’s going on around you or you’ll miss what’s happening.
Are you unsure of what to evaluate in your environment? Many firms have consolidated a significant number of environments, platforms and applications through mergers and acquisitions over the years. These consolidations have meant staff cuts, lost documentation and knowledge. It’s likely that you just aren’t sure where your risks and gaps are. Take a step back and piece by piece dissect and document these merged assets.
When was the last independent penetration test done? If you’ve made moderate to significant changes in your environment or applications this year or since your last penetration test, you need to have one done ASAP. You might be thinking: “I don’t have an internet facing service?” It doesn’t matter - vulnerabilities exist in many places inside your network. Have an independent penetration test done, prioritize the action items and execute the remediation plan.
Do you have proper funding for security initiatives? Lots of firms talk about funding for security initiatives, but not all are allocating them in the right order or with an adequate timeline. I have found that by documenting and prioritizing a list of security gaps and clearly outlining each with an impact statement of delayed funding, will get the best results. Without proper funding, the due dates for action items related to security gaps will just be delayed year after year. That is, of course, until the dreaded data loss occurs and you are called on the carpet to explain to your senior leaders why such a breach occurred to begin with.
Do you fear roadblocks for your security initiatives? Any and all initiatives have legitimate roadblocks, but planning for them makes all the difference. Get all of the primary stakeholders involved early and explain the initiative’s benefits, get a project manager involved, outline the key milestones and phases and be clear about any impact to all parties involved.
Are you unsure who owns security? Quite frankly, everyone owns security. With that said, your responsibility might be to just report security issues to your manager, but it could also be to execute on a security initiative and remediate a gap. Regardless, don’t just open an action item, sit back and think everything will be fine and wait for someone else to take the lead. In this day and age, everyone can and must make a difference. Are you?
Too many decisions to make and can’t decide where to start? This is probably one of the most common issues to security complacency. The environment is complex, there are unknown gaps, too many hands in the “cookie jar” and not sure where to start. Start by documenting all of your concerns and issues, put a plan in place for each item and then execute on each. Keep in mind that your priorities will change often and you’ll have to adjust resources and the plan, but stay focused and you will make progress.
Is your technology so old, all of its use cases are unknown? This can be a trying problem with significant risk. Outdated technology, little to no documentation and staff that have long ago moved on. In this case, it might be acceptable, following proper analysis, to put in a tactical security fix or just document the risk and give the technology an end of life date. Remediating and upgrading older technology could likely take away resources from more pressing issues. Do your analysis and make a decision – risk vs. reward.
Do you, your staff, peers or business partners have “analysis paralysis”? The larger the initiative the more people involved and the higher probability that analysis paralysis will occur. Clearly define the goals, direction and timeline for the entire group. Make sure everyone has adequate time to be heard and be sure there is a clear decision maker to render final decisions. You’ll also find that there are some people that just don’t want to make forward progress. Identify these people early on, give them a little extra talk and if things don’t change, get them off the project.
Do you have an executive sponsor for security initiatives? Most initiatives, whether security related or not, will go nowhere without an executive sponsor. If your manger isn’t a senior leader, try partnering with them to get to one – manage up. Otherwise you will be “checking the box” that you tried until the day you have to explain why something didn’t get done or a security gap wasn’t closed. And trust me, all senior leaders will listen if you have the right message and can sell your plan.
Are you just “checking the box” and saying: “well, I identified the issue” or “I told someone there was an issue” - rather than fixing the issue?
Don’t get caught up in security complacency. Nothing good can come out of it. Do your part for your customers, your company and most of all your ability to be employed in the future.
Footnote: The writer was head of the Managed File Transfer Services organization at J.P. Morgan Chase for a number of years.