An Ounce of Prevention is Worth a Pound of Cure
I used to hear this a lot growing up. But being the kid that I was, I didn’t really understand it’s meaning until I became an adult. Ask yourself about issues that you’ve had specifically in IT. All of the incidents that you’ve reported had a root cause. In some cases the cause was clear and in others it may not have been. The general thought during any level of investigation that typically pops up is, “How could we have prevented this?”
Finding time to review critical portions of your infrastructure can be daunting, especially in an age of doing more with less. Less resources, less staff, yet seemingly more problems. But by making time to do a full review, you’ll typically find major areas of improvement. And in turn, find more ways to justify adding or diverting critical time and resources to a project. Approaching areas of your organization’s infrastructure in bite size chunks comes with risks. I like to call them tactical vs. strategic decision-making processes. When you break down bigger concepts into bite sized chunks you start to lose the big picture. You make tactical decisions for short term gains while losing sight of your long-term strategic goals. Remember your mission, and coach others to that mission and you’ll ensure that the tactical decisions that are made will consistently align themselves to the overall goal.
Solutions Are Not Created Equal
There are a lot of solutions providers out there. They are not created equal. Typically, their goals and ideals are what set them apart. Why? Those goals and ideals drive how their solutions are crafted and brought to market. If I approach a particular segment of industry with solutions, my goals are aligned with solving some of that industries problems (or at least I would hope). Instead of asking what features this solution has, perhaps ask what problems related to your industry the solution is looking to solve. That type of thinking provides two very distinct advantages; 1) it ensures that the solutions provider understands your business, and 2) it provides a better fit to the core of your business. As an example, building enterprise solutions doesn’t necessarily fit the SMB. An enterprise has different needs, expectations, and budgets that don’t necessarily align with the SMB.
It’s challenging to look past the aesthetic of software to look at its utility. What are you truly looking to accomplish with the solution and the cost/benefit analysis. If a solution is created with 4 key elements for IAM, scales to 100,000+ users, but requires a minimum breaking point of 1,000 users to drive costs down to a reasonable level, it’s not going to fit an SMB budget. Especially, when you consider Managed Service Providers. It’s either a cost that they’re going to absorb into their service offering or a cost that they need to pass on or sell to their customers (which in many cases is another SMB.)
Don’t Worry, We Got This
I’m reminded of every project that I’ve ever done on my home. I’ve had some great teachers and there’s certainly no end to the number of YouTube videos out there for DIY projects. However, when the projects done, there’s always a distinct difference between what professionals do, and what I’ve done, both in overall look and function. I’m sure the same applies to what you do as well. Going at it alone because you want to save some dollars works well within personal ventures. Why? Because you’re limiting the risk to yourself, and you have (or should have) some level of understanding of the risks to others.
But business based decisions are a little harder than that. If you don’t understand the risks, how are you making an educated decision? That’s where expertise comes in. Calling in an expert may cost more in the short term, but it’s certainly cheaper than having to do something twice. Security is extremely broad, and you can’t be an expert in all of it. Consult your peer network and speak to some experts. If anything, it may simply be helpful to talk to some new people during this crazy time.
I Hear Buzzing All the Time
Those buzz words start flying around when you’re looking to finding new solutions. Everyone has an Artificially Intelligent, machine-learning, Internet-of-Things, generating 1.21 gigawatts, protected by super composite alloys made for Space-X. But, those are just tools. We tend to overlook humans. Why? Because humans are prone to error. But, humans created those tools so by extension, those tools are also prone to error.
Two of the biggest components to security are people and processes. Don’t get me wrong those tools can be of great importance to an organization. They can create a tremendous amount of efficiency, enhance security, and provide a wealth of information that humans simply can’t process on their own.
But, tools are there to assist the people interfacing with it. Imagine going to a garage to get your car fixed with the most high-tech gear, but no mechanic. Cool in concept but does not generally work without someone there to interface with.
We Fear Change
“If it’s not broke don’t fix it.” That’s something that I’m sure we’ve all heard. And in many cases it works well. However, in security that’s simply not the case. Security, as previously mentioned, is broad and constantly evolving. One way that threat actors outpace us is because they’re adept to change. They change tactics, their approach, and their toolsets. If we leave our infrastructure stagnant it’s particularly easy to take advantage of it. What’s more challenging is that IT and IT Security can easily be viewed as a money pit. However, unless you’re looking to revert completely back to pen, paper, POTS lines, and analog phones, investing in consistently changing technologies is a must.
A new mantra that needs adopting is “If it’s not broke, someone will break it eventually”. That could apply to both internal and external threats. We need to look at change as an opportunity to improve and recognize that change should be written into our process to be proactive vs. using reactive change management processes.