Wednesday, June 29, 2022

Focus on security basics and be good at them, says risk consultant

CISOs often dream about adding hands to the infosec team to ease their burden. However, a risk management consultant says they fail to take advantage of a resource under their nose – the organization’s employees, who are the most likely to kick off a security crisis.

“The very last line of defence is the individual sitting at a desk,” Ken Muir of Vaughan, Ont.-based Uzado told the annual SecTor security conference in Toronto on Wednesday.
IT forgets “they have an army of people behind the scenes that can help them as well. But they don’t use the employees in the organization to help out because for them it doesn’t like they’re part of their plan.

“The security department is like a brotherhood – they sit behind closed doors and they make all these plans but don’t tell anybody

“You should be training people all the time: What does a potential compromise look like? What does a bad email look like? … Without explaining what those things are they can never be part of your force.”

Muir’s main argument at his session was that organizations need to get back to basics if they want to better secure their environments. And one of those basics is security awareness. The others include patching and performing regular off-site backups.

The gold standard of security planning revolves around following internationally recognized frameworks like NIST and ISO 27001. But these are hard to implement for all but large organizations, Muir argued. SMBs should just pick the most important controls for them, “and get really good at them.” Having metrics to measure progress is vital, he added.

“Why are we still getting hacked today?” he asked. “People are spending billions of dollars every year on technology, there’s lots of companies that have the money and the ability to maintain these environments and they’re still getting hacked? … I get it if you’re an SMB and don’t have the resources, but why are major corporations still getting hacked?”

“There’s no discipline around security today,” he complained. As evidence, he pointed to the lack of regular and solid patch management which led to the spread of the WannaCry ransomware.

“Don’t worry about what the hackers are doing. Don’t worry about their levels of sophistication, because it will always be way beyond the level of understanding of most people. You’ve just got to be good at what you do.”

It’s a matter of where the infosec team puts its scarce resources, he said.

One audience member complained vendors are only willing to sell expensive solutions that won’t integrate with other equipment he has, so network visibility is hindered.
“That lack of visibility is a big problem for organizations,” Muir replied.

In an interview Muir said that infosec leaders suffer from a lack of resources and skilled people because what they’re being asked to do is too much. “So let’s resize that and look at what they can accomplish. And if they can do more, that’s great.

“At these conferences people talk about artificial intelligence and quantum computing, and its very interesting. But for a small to medium-sized business, this is Star Trek stuff. They’re not going to get there until that technology becomes more affordable. So what can we do in the meantime, that’s where we need to be focusing.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.