Common causes of security oversight of today’s networks

As we get older we’ve all experienced that feeling of time passing faster and faster. What used to seem like a long year ahead to get various IT and security projects accomplished has turned into, Wow – where did the year go; we haven’t gotten hardly anything done! Experts say this is related to how aging brains view time and past experiences. There’s also the reality of more and more responsibilities as we move up through the ranks. The trouble with all of this, however, is the reality that the security of our network systems often takes a backseat and isn’t getting the attention it deserves.

There are a myriad of reasons as to why this happens. In my experience as a security consultant it’s often at least one of the following:

1. People get pulled into meetings, more meetings, and then meetings to talk about the meetings they’ve already had. Meetings are a major waste of most people’s time, yet we still have them over and over and over again without question. The solution? Meet less with fewer people – only those who will be actively contributing to the meeting. Let other staff who don’t have to be present in the meetings should be doing what they do best – secure and manage the network.
2. People are afraid to say no. They know that they have a thousand other things to do but they simply don’t want to be seen as a person who rejects requests – a non-team player. The solution? Leadership. Saying no is easier said than done and it shouldn’t necessarily be incumbent on IT and security staff members to have to do it all the time. Good IT and security leaders understand what’s important and know where to focus the time and skills of their staff members.
3. People don’t know what to do. One of the greatest examples of this is the fact that many organizations haven’t ever really performed a comprehensive security assessment to determine whether and, more likely, how their environment is at risk. If you don’t know about the flaws then there’s nothing to fix. The solution? Perform in-depth technical review of your network infrastructure systems, operating systems, applications and the like. If you use the right tools and follow the proper methodologies, the weaknesses in your network environment will become obvious, and then much easier to mitigate before an incident occurs.
4. People aren’t prioritizing what’s important to their business. Many people are afraid to or simply don’t take the time to prioritize, yet, it’s one of the most important things you can do at the beginning of every year, month, week, and day. The solution? Stop trying to do everything. Determine where the business is most at risk and take the steps necessary to minimize those risks. This is an exercise in the Pareto principle (80/20 Rule) whereby 20% of the security issues you uncover are creating 80% of your security problems.

I’m convinced that we would know about twice as many network security events yet have half the security problems we have today if network and security administrators weren’t so distracted. It’s interesting how much time, effort, and money goes into creating security standards, policies, and technologies yet very little thought goes into why those things are not properly implemented or enforced. It’s all about people. More so, it’s all about focus, or lack thereof.

Starting today, think about what you can do to pay more attention to your network environment. Do you need more visibility? Perhaps you need specific information you don’t already have? You might need to start working on simplifying your environment. Can you honestly make informed security decisions based on where you’re currently at? Do you really know which applications are critical to your business? In the end, all the technologies, all the log entries, and all of the statements regarding “this is how we do things here” mean nothing if you don’t prioritize, have visibility, and fully understand your security risks.