Working in IT, you’ve no doubt heard – and said – the phrase “we don’t know what we don’t know” more than a few times. Yet many technical and business professionals have convinced themselves that they truly have complete visibility into their network environment, but they’re just fooling themselves.
Mature IT, security, and business professionals know that no matter how much money you’ve invested in security, the reality is you cannot fully know where and how your business is at risk. So it’s up to you to find the gaps so that these risks can be properly mitigated or, ideally, eliminated.
So, how do you go about doing that? Well, if you want to find everything that matters, you’ll need more than basic configuration checks, vulnerability scans, and control audits. Here is a list of what I believe you should focus on to find most of your network security risks:
You then take all these practices and work them into your overall security program to provide you with the ongoing visibility you need. Put each of these things on your to-do list and ensure that each area is addressed on a periodic and consistent basis. The reason you want to do this is not just to find security gaps so you can minimize the associated business risks, it’s also so that you can demonstrate due care – that you are doing what’s reasonably expected of any business. This will prove beneficial if a security incident or confirmed breach occurs. The last thing you want is an investigation to discover that you did nothing – or very little – leading up to the network event (which is the case in many of the big breaches that we hear about, and the smaller ones too). I always talk about the importance of getting people outside of IT on board with security initiatives, and this is a big reason why.
The late Richard Carlson, author of the popular Don’t Sweat the Small Stuff book series, once said “It’s critical to remember that if you go on doing what you’ve always done, you will go on getting what you’ve always gotten.” Understanding where things stand with your network security doesn’t have to be that complicated if you do the right things and you do them repeatedly. It’s no different than performing maintenance on your car or doing what’s right in terms of diet and exercise for your own body. If you want positive outcomes – truly knowing what you don’t know – then you must be willing to put in the work to find out just what that is.
Receive notifications of new posts by email.