Dear Security Community, are we doing it right?

Compliance Vs Security:

Compliance does not always mean you are secure, totally agree. But does not mean Compliance, Standards and Processes are useless, it is not as glamorous, but it works silently in the background. Compliance covers all the areas equally while performing risk assessments and improves overall security baseline. E.g. periodic checks for access control and least privileges go a long way not only in preventing issues, but also controlling the damage even if you are under active attack, regardless of whether you are running your workloads on-premise, in-cloud, on dockers, or serverless. But sadly, there are no shiny Conferences, Events or Award Ceremonies, that talk about getting your processes right!

Shifting Left vs Right: 

The lot being talked about shifting left. However, both Left and Right are equally important and should evolve together.

Left(Code, the source of the most security issues): The focus is on secure design and code, and to achieve that we use things like common secure coding mistakes (CWE). CWE comes from what has happened in the past, gives good insights into what should be avoided.

Right(What is actually happening in the environment): The “Right” gives you what exactly is going on in your own environment, it’s more realistic. If done right with appropriate visibility, logging, monitoring and metrics, it gives what you need focus right now, it should feedback to “Left” making it more focused and realistic.

Zero Days, File-less and ATP: 

Yes, it is lethal, destructive, very hard to detect. But it has less market share if we consider all the breaches happening around. It is not right to ridicule signature/heuristic-based malware prevention technologies and patching. It always needs to be there at the foundation allowing you to focus on advanced malware threats.

Prevention, Detection, and Response:

People are saying we should shift from prevention and detection. However, both all three are equally important. Detection and response should feedback the loop, to improve identification and detection.

"Security Vs Privacy" of Personal Data.

Security: Protect Personal Data from internal and external threats.

Privacy: Prevent the misuse(intentional or accidental) of the personal data.

"misuse of the data" is more serious than the actual data breach(after doing enough due diligence and putting security controls). With the proliferation of the data and connected entities in today's world, an organization can't fully prevent the data breach, but it can certainly prevent the misuse of the data.

Last one on CISSP(and other equivalent certifications)

Totally get that certifications do not necessarily mean you have the right attitude and skills. But in case of certifications like CISSP, the guys who are certified(beyond just clearing the exam) generally have significant experience and are mostly have loaded jobs and families to look after. Money is not the problem but systematic investment in time is challening at this stage. It's not about the content of the exam(which is, of course, VAST), but it certainly shows the commitment towards the information security profession, and it should be respected.

As always, requesting your inputs and feedback to shed light on blind spots(everyone has few)

Views: 30

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

Comment by Aditya Sarangapani on January 1, 2020 at 2:35pm

I agree with all your points. However, I think we as a community tend to focus on only the technology  aspects of security, compliance and privacy forgetting that technology is only 1 of the 3 aspects; the other two being process and people. Needless to say, all 3 aspects are closely interrelated. No technology solution will protect you if your processes and people (including vendors as we see from a few recent breaches) leak out the data.

While you have touched on processes being right, the difficulty (and hence the lack of awards) is that these tend to be subjective and will vary with the organisation.

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service