At the conclusion of a recent meeting, regarding a security assessment, it was discussed where the company should start on remediating their issues. In full disclosure, the discussion began on how the company could get away from me. The team of the company had begun to talk amongst themselves about how this would or would not help solve their overall issues. I began to realize that the company was looking for a perfect solution to an imperfect business. They wanted a silver bullet, so I had to reign the conversation back in and let my years of experience guide the conversation back on track.
Because of several reasons, there is no perfect solution to solving security risks.
Different Departments - Everyone who runs their department will have their own set of beliefs and practices. In business you cannot just force changes on people, that will never work. Each department is charged with a particular set of outcomes. It is the job of the Security Team to work within those obstacles and agendas in order to achieve a secure infrastructure.
Third Party Cloud Issues- Unless IT has a lot of insight and control, odds are that they are not involved in the discussion of things like benefits and/or accounting firms, leading to new possible risks within the network. For example, when a new 401k provider is established in the company, it leads to a new portal where employee information is loaded. When an accounting firm is hired, it establishes that that a new connection has been made between client records and the accounting firm. The list can go on and on, and the Security Team will have to do their best to secure their connection. Hopefully you can enforce MFA, SAML, and VPN access but it is not always guaranteed.
Humans Make Software - Humans are really good at it too, but it is far from perfect. Software has issues and there is no perfect solution. Thus, IT will have to make something work inside its guardrails and the Security Team will then have to secure it.
Failure to Start
Most of our companies have that person that either cannot finish a project because it is never quite done, or not migrate to something new because it has too many possible issues. You know this to be true; there is no such thing as perfect. Security solutions will never be perfect either. But the process needs to be started and maintained continuously.
Security is a role now in most every mid-sized company and larger. Smaller companies may need to outsource it, but having someone dedicated to securing the infrastructure and data is as key a role as operations. Passivity regarding security cannot be okay in a world where a security breach can put you out of business. People still talk about the Target breach all of these years later. Not because there haven’t been larger breaches, but because it is the ideal story. A large retailer breached through a third-party provider, with a security team that missed it for years.
Do you think Target has a focus on security now? Was that the wakeup call they needed? Do you want to wait for the same wakeup call? Can you survive that? Will your company survive that?
Consider hiring a security role today. Start the process of securing your infrastructure and data.