In a year that has seen major bugs affect SSL and servers, there is a role for businesses to play in being more proactive to identify and fix flaws.
Speaking on an IT Security Guru webcast about “The next great threat to security”, CISO and GiveADay founder Amar Singh said that rather than Heartbleed, Shellshock and Poodle, what was more important than ever before was “the inability of most organisations to quickly and correctly respond to an incident”.
He said: “The issue is that everyone is still spending on protection: the latest malware tools, the latest firewall, next generation 3.0, the new flavour. But while building up defences we are not building up the response mechanisms.
“The monitoring mechanisms are still lacking in so many organisations and many people I speak to say that they find it very difficult to convince their board to be prepared, as there is a strong belief that with the greatest malware fighting tool that you will be able to stop an attack. That is the biggest threat to security for the next few years.”
Singh said that people will be compromised all of the time, but the acknowledgement is not there nor is the response mechanisms or abilities to figure out what has happened in order to fight back.
Vice president of information security at Monster Worldwide, Craig Goodwin, said that as a security function, we are falling behind by using “archaic ways” of doing business.
He said: “We need the flexibility to be built into our functions to deal with that, so it means building the fundamental process and building one which is mature enough. It doesn’t matter what the next threat is that comes along, as you have the right incident management processes in place, the right response mechanisms in place.
“Some threats will affect you more than others, but that just increases the size of your response. It shouldn’t increase the way in which you respond.”
Asked for their advice on how to resolve major threats, Goodwin recommended looking at inventory first even when there is no bug. “We need to work consistently harder on getting inventory up to date and that comes back to good communication and making sure you’ve got someone bought into security at the right level,” he said.
“A lot of organisations don’t have CISOs, they just have someone in IT, and as security professionals we have really got the responsibility to make sure we sit in IT and have communications across the business to drive change,” he said. “It is not just about technical issues, it is about investing time and effort from people and firming up process, and not just fire fighting.”
Singh recommended focusing on what we are trying to protect, rather than what we are going to buy.
Listen again to the webcast here – https://www.brighttalk.com/webcast/11399/131731