Earlier today we were honored to have Brigadier General Brad Pray USAF (retired), now with Axios, speaking with Vormetric on a webinar hosted by our partner CaraSoft. The topic was Defending Data in a Perimeter-less Environment.
The analogies that he drew about applying the lessons learned in protecting military environments in dangerous circumstances are ones that I think can be used within every organization to help enhance security postures and protect data against the continuous stream of breaches that organizations large and small are experiencing. Here are five of the key points I captured from his presentation with some interpretation on my part for their application.
- Analyze what needs protecting
- Engage with key stakeholders throughout the organization
- Make every person within the organization a participant in the “mission” of security
- Clearly define your strategy – and incorporate “Adaptive Planning”
- Some critical points to take away
Point 1 – Analyze what needs protecting. In the physical world, the analogy is to a military base. Bury the base deep in a mountain and it will be safe, but it definitely won’t perform its mission in the wider world.
Back in the world of IT Security, it’s a fact that if you lock down everything, no work will get done. Brad didn’t mention it, but we all know that the most secure system is the one that no one can access or use (and is also turned off) – unfortunately you can’t run a business that way (or any other organization), so risk is a key factor. The point was that careful discovery and identification needs to be performed about what information needs protecting, and where that data is located. It isn’t practical to put deep, layered security around every system and every piece of data within the organization – so analyze, prioritize and plan for security around the information that really matters.
And be aware that discovery isn’t a one-time process – discovery needs to be continuous and on-going. As data is generated and used today at a frantic pace, last month’s or last week’s information about what needs to be protected won’t stay current for long.
Point 2 – Engage with key stakeholders throughout the organization. IT Security doesn’t happen in a little box off in the corner of an organization with the label “Security” on it performed only by IT the CIO, CISO, and CTO. Securing an organization’s critical information requires that key operational leaders be engaged. The CEO, COO, CFO and business unit leaders all need to be actively bought into the program, directly engaged with, and their input acted upon in the wider planning for securing the organization. Failure to do so in both the physical and cybernetic worlds leads to people complying with the letter, but not the spirit of the plan, and results in fragmented priorities and implementations.
Point 3 – Make every person within the organization a participant in the “mission” of security. Being raised as a “military brat”, I know that every person within a command has a primary “mission” as well as secondary responsibilities. It’s the same in every enterprise – People not only have to do their work, they also have to meet guidelines for behavior, methods of operation, work hours, equipment use, financial responsibility and so on. Today, not many of us make it a requirement for our employees to understand how their roles effect the security of our organization’s data, and with it the success of our operations. The people that make our enterprises work need to be brought in, educated and engaged as active participants in IT Security. It can’t be just a barrier to their getting their work done. IT staff especially need to incorporate IT Security as part of their daily mind set.
Point 4 – Clearly define your strategy – and incorporate “Adaptive Planning”. “Choose your battles” – you can’t protect everything, and you must select that data that represents your “crown jewels” and protect it accordingly. Assess your risks, identify what most needs protecting, and set a strategy that provides the in-depth protection required. There’s not substitute for having the assessment and engaging both “Operational” and “IT” staff to protect this information
Military parlance includes the term “Adaptive Planning” – think of this as a way of incorporating into a strategy the long known fact that “no battle plan survives contact with the enemy”. Circumstances and attacks on IT infrastructure and applications change and evolve. When creating your strategy, plan to evolve your IT Security implementations to match. Make sure to do this in a way that leaves you the flexibility to adapt to new attacks and changes in the threat landscape.
Point 5 – Some critical points to take away
- Perform discovery, risk assessment and risk mitigation – not just at the inception of the program, but on a periodic, or even continuous, basis
- Incorporate constant monitoring and detection for threats and attacks, and closely watch the behavior of those with access to sensitive data
- Constantly evolve youy IT Security controls to match the threat environment
- Constantly upgrade your analytics to recognize new threats
- All employees have to be a part of the solution
- Periodically assess your readiness - with penetration testing, vulnerability assessments and more