Many security programs still require updated approaches

CIOs and others responsible for IT security programs continue to make grave mistakes when it comes to security. According to Niall Browne of LiveOps, a provider of cloud-based contact and call center solutions, many of these can be attributed to out-dated security approaches.

The most significant misstep made by CIOs in their security program is focus. A focus on security compliance rather than threats was the approach that Browne revealed to be the most detrimental in conducting a comprehensive security program.

To Browne, meeting the compliance standards of a particular industry or auditor is only half of what makes for wide-ranging security. “Often if you focus singularly on one direction in relation to compliance then you miss the second front, which are external threats”, he added.

He sees a shift within the industry, in a positive manner, away from this complete concentration on compliance and toward engaging the various external threats that target nearly all organizations with sensitive data that needs protecting.

“Personally, I’m a huge fan of standards [such as PCI]”, said Browne. “I think they are the foundation of building any security program.”

But a foundation is only the beginning, he continued, and organizations need to customize their security programs and controls to face the threats that exist in today’s landscape, what he describes as pillars, in addition to any further regulatory burdens that are applicable – for example, HIPPA compliance for a healthcare organization.

“There is a tendency to follow compliance standards to the letter of the law, and not doing more or less than the standards state”, Browne asserted. “That’s where huge cracks start appearing within the security program of many organizations, because they focus in on only one specific area.”

He also firmly believes that, going above compliance, CISOs and others responsible for organizational IT security can demonstrate to the executives holding the purse strings that security is an enabler for business, and not an inhibitor.

“Clients are very cognizant of security requirements, so building a security program whereby a business can on-board more clients by becoming more of a trusted entity” can demonstrate value, Browne assured. This can move the security side of the organization “out of the corner” and, far from being segregated from the other businesses units and looking for only a yearly budget handout, can integrate the organization’s security program as part of the overall business model.

As for the other major mistakes CIOs make when formulating a security program, Browne points to three aspects that reflect out-dated thinking: 1) building location-centric controls rather than data-centric controls; 2) a lack of real-time monitoring capabilities; and 3) poor approaches to application security.

When it comes to real-time monitoring, Browne acknowledges that traditional models – with 24/7 security operations centers manned by in-house personnel – can be out of the reach of smaller to medium-sized organizations. So he points to the large number of companies that now provide ‘outsourced’ comprehensive, full-time monitoring services.

“If you are a smaller organization, this can be more feasible”, he noted. Such services, he believes, provide a valuable service in today’s threat landscape and do so in a more-cost effective manner.

But it was his last item – application security – that Browne stressed in closing. “This is one of the key critical issues” we face in security today, he emphasized.

“Applications are no longer hidden behind firewalls and are instead exposed to users via the internet”, he said. It’s this rapid proliferation of web-facing apps that many organizations have failed to keep pace with in the modern security environment, Browne stressed.

“The only way security programs will be successful [going forward] is to build security into the application”, he insisted. “There needs to be more focus on how to build applications more securely and the building of application security teams themselves – including architects and engineers that build controls to protect applications.”

What’s Hot on Infosecurity Magazine?