Taking Security Seriously

Security breaches are quite common these days, and they all seem to offer a similar pattern. A breach occurs, the company doesn’t realize until someone notifies them, the said company then issues a statement about how serious they take security and offer customers a year’s worth of free credit monitoring.

While that may be somewhat of a broad generalization, security professionals can usually agree that when a company says it takes security seriously, we have a collective eye-roll moment.

However, just because a company has a breach, it doesn’t mean that they didn’t take security seriously, or at least invest in a number of security and compliance initiatives.

You’re probably chuckling at the thought of compliance being equated with security, and it doesn’t. Just as wearing a helmet while riding my motorcycle makes me compliant with the legal requirements, it doesn’t offer a great deal of protection to any other part of my body in the event of an accident. In fact, a helmet won’t even protect me against the rain. So, if I said I took my security and safety seriously just because I wear a helmet when riding my motorcycle, you would be right to laugh in my face.

The Technology Bias

One of the challenges with IT Security is that whenever faced with a problem, the majority will go seeking a technical answer.

For example, on a website, many will look for the strength of passwords, multi-factor authentication, encryption, or even whether the company is PCI DSS, ISO27001, or accredited to another standard.

Which circles us back to the compliance argument. That is to say that while such security controls are definitely needed, they don’t tell the whole story.

Proxy Indicators

Casey Ellis, founder of Bug Crowd said, “One can never know how seriously a company takes security, so it comes down to relying on proxy indicators of security maturity.”

Proxy indicators can be a more reliable measure in addition to fundamental security controls that are covered by compliance regulations. For example, proxy indicators could be things such as looking at the strength and credibility of the security team. The publication of technical blogs and white papers, or the inclusion of security in annual financial reports.

Security Awareness

In many cases, it’s the not-so-tangible efforts that define how seriously a company takes security. Investing not only in processes, but people can make a huge difference. Having a robust security awareness program can go a long way. However, awareness itself isn’t enough. As Perry Carpenter, chief evangelist and strategy officer at KnowBe4 says, “Just because I’m aware, it doesn’t mean I care.”

The challenge with humans isn’t necessarily educating them about the need for something, but rather the trick is to make them care. This rings true not just for individual employees, but also for the company as a whole in how security manifests itself in its culture.

We Care About Security

So, perhaps taking security seriously can be looked at through the lens of how much a company cares about security.

A parent will care for their child, it’s unlikely you’ll ever hear a parent say they take their child seriously. That care will sometimes mean being strict with their child, other times it means educating them, and sometimes it means letting them make and learn from their own mistakes.

Similarly, security is a mixture of behaviors and controls. Some of it involves preventative security controls, some procedures, and a healthy dose of security awareness to create a culture of security. However, even if a security culture is attained, security can be breached. At that point, the culture is even more important as it determines how a company will respond.

It can be tempting to blame a third party, rogue employee, or other external force for a security incident or breach. Transparency and owning the issue can say more about a company than mere words. A great example of transparency in the aftermath of a breach is the Timehop security incident of 2018. Where the company issued a thorough timeline of events and measures it took.

Next time an incident occurs, I won’t be concerned with how seriously they took security. I would like to know if they cared.

Javvad Malik’s talk entitled ‘We take security seriously’ will take place on the Insight Stage on Tuesday 4 June at 3.30pm. KnowBe4 can be found at Stand M158.

What’s Hot on Infosecurity Magazine?