Comment: DIY IT Security – The Hard and Wrong Ways

Matt Harrigan explains the problems that arise with DIY cybersecurity
Matt Harrigan explains the problems that arise with DIY cybersecurity

Although many organizations have a dedicated risk assurance resource, most do not have a top-ranking executive in charge of IT/cybersecurity or one responsible for information assurance risks. A 2012 Carnegie Mellon survey of the Forbes Global 2000 found that fewer than one-third of the companies surveyed are "undertaking basic responsibilities for cyber governance" at the board and senior executive level.

Because executives don't always take charge of the tricky subject of information assurance, security responsibility within an organization may be murky. Designated enforcers can face resistance, backlash and non-compliance from higher-ups, with no one to stand in their corner when security-versus-convenience debates inevitably start to heat up.

Most certainly, convenience will always trump security. The lack of accountability can lead to the ‘security guy’ effectively being peer pressured into recommending convenient solutions that simply Band-Aid risks but don't result in better organizational security. To protect against issues such as insider threats, BYOD hijacking, mobile device hacking and client-side vulnerabilities, an organization needs not only significant internal resources, but also executive support and advocacy.

The reality is that DIY security can only work if your organization can hire a seasoned cybersecurity expert with full accountability for the environment. It requires a broad skill set to both manage the day-to-day activity around all related challenges and countermeasures, and also keep ahead of developing information assurance risks. Although not impossible, this approach is very difficult given the limited talent pool.

The easier way is to hire a professional organization to manage cyber and IT security. While engaging outside security consultants may seem like a complex endeavor, employing a dedicated firm to safeguard your information security concerns can actually simplify an organization’s overall security efforts. Here are a few reasons why.

First, outside professionals are fast. Their business is to know not only the unique threats and risks you face, but also how to respond when those risks become a reality.

Compromise can result in same-day loss of assets, and an information security firm’s reputation depends on rapid response. Thanks to the power of the cybersecurity ‘assembly line’, this outside information assurance team will roll out security updates – both proactively as well as in response to actual attacks – within the environments they manage on your behalf. This means you can get protection even before attacks against your assets occur. In-house security gurus may have to wait for an attack to occur or, most likely, after the damage has been done, before they are able to spot and fix a vulnerability.

Second, outside professionals are vigilant. They look for exploits on a day-to-day basis. When they find one, they can roll out the fix to you ASAP. Whereas your in-house guru might take a two-week vacation and leave you exposed to attack during that time, an external security team has you covered, round-the-clock, 365 days per year.

Third, outside professionals are diverse and can respond to a wide array of threats. Typically, a single cyber/IT security expert will have specialties, such as a content management system that he or she is particularly adept at securing. If you have only one information assurance professional on your IT team, you may get a one-dimensional solution that creates the illusion of security on one attack surface but neglects many others.

The emergence of BYOD and social engineering threats has left many organizations, including those with significant resources, especially vulnerable. An outside firm will employ many experts with diverse skills, giving you much more comprehensive protection against short- and medium-term threats.

Hiring an outside security team can come with just about any price tag, depending on your cybersecurity requirements. If you find the right agency that you trust, it can be the easiest and most cost effective response to the dynamic, unpredictable nature of cybersecurity threats.

What’s more, organizational cybersecurity is an emerging discipline. Like locking up a retail store at night, cyber assets need to be locked and monitored as well. The process is a lot more complicated than closing a door, setting an alarm, and turning the deadbolt key – but if you choose the right professionals to manage your organization's security interests for you, it doesn't have to be as hard as it seems.

Matt Harrigan is a 20-year information security and compliance veteran. He is credited with inventing and popularizing the practice of commercial penetration testing and was one of the original contributors to the PCI-DSS standard. Harrigan currently serves as CEO of Critical Assets and CA Labs, a firm specializing in the delivery of infosec and compliance solutions to government, utilities, and enterprises.

What’s hot on Infosecurity Magazine?