"The low and slow approach of trojan attacks has misled many organizations into believing they are secure, while in reality, they are not," he told the Gartner Security & Risk Management Summit 2011 in London.
The hugely damaging hacking attacks on Sony and other high-profile organizations in recent months should come as a wake-up call to security professionals to be better at what they do, said Smith.
As the result of the actions of hackers, Sony's share price fell, from around $30 to $24 in just 12 weeks, and the company faces an estimated cost of $24bn.
"Organizations should ask themselves if it might be possible for competitors to assemble small, but highly-skilled hacking groups that could have a similar, devastating effect," said Smith.
Complexity Blinds Users
A common problem, he said, is that many organizations have such complex security systems they do not really know how they work or how effective they are against new and emerging threats.
"Be clear about how effective current defenses really are, ask what is necessary, what is optional and what is unnecessary or indulgent, then focus on what you really need," said Smith.
It is important IT security professionals have a pragmatic approach and are clear about what they are trying to do, he said.
Organizations Must Do the Basics
Many organizations fail to undertake even basic processes – such as establishing where sensitive data is stored and how vulnerable it is to exposure – to guide their patching and mitigation efforts.
Once the basics have been done or revisited, the challenge is to keep security fresh by embracing strategic change and modifying the IT defenses accordingly, said Smith.
"It is important for security professionals to be part of the conversation and decision-process around new technologies because, if they are not responsive and agile, they will be by-passed," he said.
Smith also warned about a compliance approach to security. "We should be doing security first to ensure data and systems are secure, not just the minimum to tick compliance boxes," he said.
Engage Users in Security
Smith emphasized the need for ongoing education of users in an organization about new and emerging threats and their role in defending against those threats.
"Security professionals must make users aware they can be the conduit for malware, but also take steps to protect users against themselves by making security controls invisible to the user and implementing smarter access control, for example," he said.
Smith cautioned against too much security. If security is too onerous or prevents people from doing their jobs, they will go around it and the business will lose visibility of what users are doing, he said.
"A key pragmatic suggestion to IT security professionals is to work with third parties to share the load by taking care of run-of-the-mill security to enable them to focus on where security can help their organization," he said.
This story was first published by Computer Weekly