7 Steps on the Road to Securing your IT Infrastructure
By Jason Norred, Senior Director, Security Solutions II, Inc., friend of Andersen Alumni
Solutions II is continuing the discussion of how “Complexity is the Enemy of Good in Cybersecurity” from the previous two newsletters. In this issue, we address seven key items for consideration to drive more engagement from the rest of your organization in improving security posture and reducing risk while retaining sanity and avoiding total burnout.
It is easy to get bogged down in the nuance of cybersecurity program management, dealing with the most recent zero-day or critical vulnerability that has been announced, and sometimes just trying to keep building the plane while it’s in flight is more than we can handle. In these situations, it is good to remember the following key items while securing your IT infrastructure.
1. You are NOT Alone
You should make security architecture a vital component of the overall enterprise architecture for your organization. This positions security in everything and makes everyone responsible. There is likely a lot of expertise in other key areas of the organization that can help drive security within your IT Infrastructure when it’s considered as a component of enterprise architecture, whether it’s on-prem, in the cloud, or both within a hybrid cloud. Getting buy-in and support from the rest of the organization is critical.
2. Reaching Across Enterprise Towers
Bridging gaps between executive management, line of business leaders, IT and/or other Security leaders by developing and building business-focused use-cases that drive and support a security-first posture benefits the entire organization as well as continues to drive the engagement and involvement discuss previously.
3. Address the Basics
While there can be great value in the latest tools and technology, make sure you are doubling down on the basic foundational items, including security awareness training, identity management, MFA, privileged account management, and data protection. The Center for Internet Security’s Critical Security Controls is an excellent guide and roadmap for prioritizing basic foundational security controls and includes implementation groupings that provide further granularity based on the size of your organization.
4. Manage the Human Element
While malicious insider threat is absolutely a real thing, the more common form of insider threat are accidents. Someone not paying attention and clicking on a link on a website or in an email that downloads a malicious payload into your environment is still a highly likely scenario. Manage this through security awareness training and create processes and procedures for users to self-report this kind of activity when accidents happen such that proper due diligence and investigations can happen without severe repercussions. Additionally, pay attention to both onboarding AND offboarding of employees and contractors. Too many times, there is significant focus on onboarding to get employees operational and functional as fast as possible, but when not properly offboarded, it leaves accounts accessible and open to compromise. Additionally, malicious account activity from a previously legitimate account can be incredibly difficult to detect until it is too late.
5. Do MORE than Check the Box
While compliance is critical in many cases, do not let your organization become so laser focused on compliance that they do not see the forest for the trees. Compliance can be used as a tool alongside the overall security efforts for the organization to drive increased security posture and risk reduction. Leverage it!
6. Tackling the influx of Data
Explosive data growth is occurring all over the enterprise, including client data, corporate data, finance data, systems data, etc. Consider cloud-scale solutions to not only store the data but to leverage the increased scalability to drive analytics to drive meaning out of the data. Consider the adage that data without business value is purely risk while data with business value drives profit and margin.
7. Collaborate to Elevate
Consider collaborative partners in the IT, Security, and Cloud space to help create, drive, and deliver your enterprise IT architecture. Leverage the expertise your partners in this space have to elevate your organization and improve your overall time to value.
IBM recently published the previous seven steps and the benefits of incorporating them into your IT infrastructure and enterprise architecture as part of your overall IT strategy. Click here to download the full report.
Solutions II also helps you avoid complications through a framework for change called the Adaptable Data Center® (“ADC”) that simplifies the complexity while decreasing technical debt with IT investments. The ADC framework takes security into consideration and all of your priorities and creates an actionable roadmap to take you from your current state to your future state. This can be a game-changer not only in your security approach to 2021 but in all of your IT priorities.