Is your security posture all “do it yourself security?” Or do you include other elements in your security strategy? Last year I went on a fishing trip with some buddies of mine to Costa Rica for a week. We had an awesome time. It was a trip of a lifetime. We caught many fish that we had dreamed of (catch and release of course). We caught so many that at the beginning of the day we would jump to grab the rods, and at the end of the day, we would kindly offer the rod to our buddy because we were so tired. It was a funny turn of events.
I fish also when I am at home, and catch fish and always have a good time. But this was different this was a step up from the normal fishing. It was an abundance of fish I had never experienced. You may say that it was because of location, but my home waters are full of fish, or you could say it’s that I am not a good fisherman. And it is possible, but I usually catch fish at home and I did not see anything that the captain and crew on the charter boats did that I did not do. So what was it?
The simple answer is that they are professionals. This is their job; this is what they do night and day. They make their living making sure that guests like me and my friends catch lots of fish. So they do everything in their power during that trip to make this happen. It is not a sideline for them or a secondary activity. It is their profession. The same goes for cybersecurity. When I encounter an organization that is need of help with their cybersecurity there are certain elements that tell me that they will most likely be vulnerable. One of those is when the senior leadership of that organization does not have time to get involved in their own cybersecurity and they immediately pass it off to a low-level subordinate or an IT person in their organization.
That it is so common today and at the same time cyber-attacks are so common is not a coincidence. I see this time and time again. The management cannot be bothered by this issue. Besides he has an IT department to handle that internet stuff. Right? Almost inevitably this is a mistake.
Not The Same
Take a fictitious company that was involved in manufacturing and it had a large multimillion dollar plant. Then someone came to the leadership and told them that in the next 6 months there was going to be a major disaster to the plant putting it out of commission such as a fire or sabotage of some sort. What would the leadership of the company do? Would they pass this off to a subordinate? Would they put it on the back burner, or ignore the person warning them?
Of course not they would immediately put this issue on the front burner of their list of priorities. They would enlist the best people they could find both inside and outside the company to try and prevent or at least mitigate this threat. They would find people both inside of the company and outside to help them get to the bottom of it. Simple; because they want results.
It should be no different with cybersecurity you need to use the best talent you have. You need to be involved in the process of this imminent threat and you need to make sure it is carried out to the best of their recommendations. Just relying on do it yourself security and doing anything less is not going to yield you the results you are looking for. Look for the professionals that can help you the most and then use them. If you need to hire them then hire them, if u need to go outside and get them then do it. But don’t wait for disaster to strike.