Have you ever run into this scenario: there is a yearly audit on the security posture of the organization and this requires certain measures to be in place. However, everyone within the security department knows that that one specific measure (let’s name it checkbox alpha) is not actually in place.
They also know that, somewhere in the office, there is a supplies rack on which there is this nice cardboard box with product X. That nice cardboard box is there for one simple reason: to be able to affirmatively answer the question of “do you have checkbox alpha?”. However, it’s in a cardboax box on a shelf, and not actually being used.
This may sound like a scenario that you believe will never ever be in place in your organization, but won’t it? How can you be sure?
Losing sight of security features
As we start using more and more products (whether from a cloud supplier or using an on-prem solution) we also need to implement more security measures.
Every separate business product has its own security requirements and solutions and the task is upon the security department to make sure that everything is used in a safe and secure manner.
This means that inherently you will lose sight of what features every security solution provides.
The knowledge and skills required to maintain detailed insights into what can and should be done across the entire company’s infrastructure is however increasingly broad. Being able to answer the question of “are we secure?” has become a more and more daunting effort.
This means that inherently you will lose sight of what features every security solution provides. The major issue with this is that you may end up running a security solution (product X) that can be used to implement checkbox alpha but isn’t set up to actually do so.
All the while the business depends on that one product X to make sure that checkbox alpha is ticked.
Why business and operation don’t align
This is where we find that alignment between business and the actual security staff becomes an important factor.
Often, the business side needs a product to improve their business processes and does realize that a certain level of security is required. They therefore already included product X in their acquisition phase to ensure that this one checkbox alpha can be checked.
The operational side of the business however, is unaware of the purpose of product X and therefore just spins it up, looks at it and says: we can do this. This does the security for our business, so we need it, we’ll manage, without knowing what needs to be configured.
Here we find ourselves exactly in the same scenario as the example: we have a checkbox required box that is now no longer on a shelf, but that is not effectively in use.
So, are we actually using the security products?
The questions we need to ask ourselves on both a C-level and an Ops level are the following: up to what extend are we actually using our security products?
Do we have the skills and knowledge to actually use and monitor the features available in our security products?
Are we leaving nice cardboard boxes on the shelf just for checkbox’s sake or are we actually going to use them to help us secure our business? Do we have the skills and knowledge to actually use and monitor the features available in our security products?
A fundamentally different approach to security is needed
From our experience this challenge requires a fundamentally different approach to security. An approach that we have found in Zero Trust: taking a data-centric perspective on your security, with business goals in mind.
Eradicating surplus security solutions and bringing the security focus back to where it should be: safely doing business.