Daily morning headlines from Dark Reading, Krebs on Security, ThreatPost and others remind us that breaches are inevitable – they are not a matter of “if,” but instead, “when.” This is increasingly understood, so one wonders if this reality leads people to make overly rash decisions based on what they read with their morning cuppa joe?
Catch that last question? Let’s talk about recency bias – the tendency to place too much weight on recent events.
While many IT practitioners, especially those in security, believe that we are perfectly astute and calculated bastions of logical decision-making, we are all, indeed, human. And agencies and news publications alike have capitalized on fear mongering, knowing that we cannot avoid consuming and commenting on the latest event driving headlines. Now, while there is little danger in your Kardashian obsession (Mine lately has been Jho Low, the embattled billionaire accused of swindling billions from the Malaysian government), there is potential danger in basing security purchases and strategies purely on the latest security fad.
New tools and technologies constantly enter the security market. Some vendors, often founded by security practitioners, are deploying powerful systems absolutely bursting with functionality, intelligence and potential. Moreover, while the wildly innovative and nascent tools are interesting, security leaders have to provide the most security value they can – increasingly in terms of quantifiable risk reduction — across their entire organization.
What I suggest is, instead of chasing headlines, to adopt technologies that have gained recognition from security thought leaders and influencers for their ability to reduce risk and increase a company’s security posture. One place to look for direction is the Center for Internet Security (CIS), which provides a list of top security controls. This includes what they call “controlled use of administrative privileges” and we call privilege access security. Privileged access exists everywhere in your organization and has existed as long as administrator and superuser accounts have been integral to the operation of applications and infrastructure. Although it seems obvious that protecting privileged access is critical to maintaining security, it was, at a time, viewed as a niche security tool or something organizations could do as an “extra” step to securing the enterprise… a “nice to have,” if you will.
If you look into key regulations, across myriad industries, you will find that protecting privileged access is one of the key tenants to adhere to when the auditors come knocking. PCI-DSS 3.2, Sarbanes Oxley, HIPAA and NERC CIP all require the protection and monitoring of privileged users and sessions. That being said, embarking on a privileged access security program isn’t just about checking the box to fulfill a compliance requirement but a key step in staying one step ahead of the attackers.
Many of us work in high tech because there is constant innovation and cutting edge solutions that push the limits of computing.
Technophiles should not fear as there are privileged access security companies like CyberArk experimenting with bleeding-edge tools, developing brand new technologies and implementing techniques to stay ahead of the attackers. For those interested in innovative techniques and deep privileged access security research, check out the CyberArk Threat Research Blog – and remember, news publications are fighting to be the most sensational and generate the most clicks. Trust your instincts and deploy proven privileged access controls instead.