Companies that fail to enforce security policies must be prepared to handle the consequences.
After reading through some security blogs and strategy papers, I saw what appeared to be an underlying theme across the narratives I’d read: Security tolerates failure.
It’s understandable that it happens, but I think if we are honest with ourselves, it happens because of a collective acceptance that close enough is good enough. It can be easy for any of us to offload responsibility when so many things aren’t in our control, and we can feel powerless because of it. In almost every instance I read about, I saw leadership and technical security folks pointing fingers at all kinds of issues, but I hardly ever read about any of them taking ownership — or even acknowledging that security earned this failure. The bad things did not happen through osmosis; no evil hacker just magically jumped into the network. Failures occurred because of a series of bad decisions, poor strategy, and a lack of enforcement of well-known security practices.
Let’s think about this for a second: You deserve what you tolerate. What does that message mean in the context of cybersecurity and security operations?
If companies collectively turn a blind eye to lackluster security policies and don’t bother to enforce the standards that were put in place solely to defend their networks, these organizations deserve the bad things that will inevitably occur because of those decisions. If companies do not wish to enforce a user policy because users gripe about it, again, they deserve the work and stress that comes with the imminent breach headed their way. If companies tolerate vendors selling them technology that comes with default hard-coded back doors and lack ways to technically control or patch that device, it can’t be surprising when it becomes an IoT threat to the network and every other network on the server.
Here is the first half of the hard part of accepting failure that comes from tolerating it — this takes accountability and willpower:
Tolerating overhyped technology means we won’t get what we deserve (or what we paid for).
If we don’t enforce our policies, we let down our users, our leadership, and shareholders.
If we don’t align our strategy with the business, we can’t be surprised when we aren’t involved in decisions and our initiatives are sidelined.
We should take steps that will help us stop failing and stop tolerating anything less than victory. There is only one thing to do: raise the level of expectations.
Here is the hard part — organizations still have to actually do it. There is no AI that will help here:
If companies have a user policy that says “we monitor your activities and we are watching what you do on our network,” they must enforce it.
Don’t accept smart devices into networks without having a plan in place to track and patch that item.
Make the C-Level team realize that security is not just a part of the business: It’s critical to its success in today’s world. Don’t take a back seat.
Analyze and understand the nuances, technical needs, and implications of any technology your team is considering using. Don’t just move forward with a POC and think it’s all going to work out (it won’t).
That goes for the good and the bad. The choice of whether the results lean more toward the positive or negative are up to us and how much failure we are willing to stomach before we flip the script and move decisively away from tolerance.