In our recent webinar, Automating Security & Compliance for Your Cloud Deployment, we explored ways that firms can scale their cloud security strategies through visibility and intrusion detection, security and compliance automation, and low-cost security practices.
Some organizations are especially successful when it comes to security preparedness. In the webinar, we discussed what makes the strongest teams stand out. It boils down to their unique approaches to people, processes, and technology and how theses elements are bound together by a common set of goals.
In this post, we’ll dig further into these three areas and define what you really need to create a rockstar security organization.
To quote the classic business book Good to Great, “getting the right people on the bus” is a key step for any major company initiative.
In the case of security, we need to ask ourselves questions including the following:
- Who is the owner?
- Who are the stakeholders that need to know about this and provide support?
- Who needs to be informed so they can do their job better?
Getting started with security means the right information has to flow to and from the right people (who have clearly defined roles and responsibilities) in order to drive decision making, technology selection, deployment, and training in accordance with the goals you’ve defined.
Communication is central.
Too often, decisions are made in a silo. Someone higher up, for example, may decide to adopt a new tool but fail to explain the objective for doing so or neglect to train others how to use it. The reason behind this could be innocent enough, but the result will be the same: poor support, slow adoption, sub-optimal usage, etc. This is why it’s all about getting the right people involved throughout the lifecycle to achieve the objectives you’ve defined.
We’ve written before that security should be everyone’s responsibility. In addition to a shift in company culture, a well-thought-out set of processes can make this a reality.
Processes bring people together and bring to life the vision you have for your cloud security strategy. To make security a serious initiative at your organization, some processes to keep in mind include training, automation, and continuous improvement.
- Training: Security awareness requires that you make security a part of the company culture and that employees understand why it is important to the business.
- Provide security training tailored to employee roles and responsibilities. For example, developers should learn how to produce and deploy code securely. For their part, HR should be well-versed in how to transmit and store sensitive employment data securely. Giving employees specific instructions to understand what policies, practices, and procedures apply to their jobs and how to follow them will ensure that every worker has an understanding of the measures and protocols that are required to secure their part of the workplace.
- Make security training part of the employee onboarding process, and to keep the topic top-of-mind and “sticky”, provide regular, frequent refresher content. The goal is to generate continuous security awareness across the organization.
- Automation: Automation can minimize errors and help companies ensure consistency and speed as they fight off potential threats. You can automate alerts for suspicious activities, user provisioning and deprovisioning, code reviews, monitoring, and operational tasks. One of the benefits of automation is that it reduces human error and vulnerabilities. However, that’s only true if someone oversees the automation. With that in mind, task a leader to manage the automation to ensure that it’s doing what you need it to do, and don’t forget to monitor and improve results.
- Continuous Improvement: Security measures require ongoing monitoring, evaluation, and, when possible, improvement. Before you can improve, however, you need to know where you stand. So complete an audit of your security posture to determine what is working, what needs improvement, and what’s missing. If you consistently measure your organization again these standards, you will make yourself an unappealing attack target.
In addition to training, automation, and continuous improvement, another process that successful security organizations get right is selecting and implementing the right technology.
Many companies don’t ask the right questions before investing in new security technology. That’s why so many organizations today are drowning in tools. Oftentimes, organizations adopt multiple point solutions that provide limited functionality. When they go to combine them, they end up with disparate technologies that are difficult to manage and don’t necessarily meet the organization’s security goals.
That’s why it’s important to be rigorous with your cloud security technology selection process.
Before buying, be sure you have a security strategy in place that defines things like:
- Your security objectives and risk tolerance
- What kind of data you need to monitor
- Security-related events you want to see
- Risks relevant to your unique organization
Then you can drive the internal conversation around finding tools to solve those problems. As you look at your actual needs, keep in mind that there is often a gap between what we think we need and what we actually want to do with the data a tool can give us.
Remember: Technology alone can’t solve problems. But if used correctly, and in combination with clearly articulated security objectives, defined processes, and well-informed and trained people, it can provide incredibly valuable visibility into events and activity you want to know about to stay secure.
Final Words . . .
Security is a lot for organizations to take on. It is often misunderstood, and the risks of threats are often underestimated by those who don’t live in the subject matter day-in and day-out. But there is method that works: The right approach to people, processes, and technology will support the cultural shift needed to build and sustain a more secure organization and will set up your organization for success in the long run.
If you would like to discuss your security requirements, contact us for a demonstration of Threat Stack’s intrusion detection platform.