Observations from SecureWorld Detroit
Just a couple of weeks ago, security professionals, including myself, ascended upon SecureWorld Detroit to hear the latest from top security industry experts. I also had the great opportunity to be one of these speakers and participate in two-panel sessions – “Building a Better Mouse Trap (Emerging Threats)” and “The Battle for the Endpoint Continues (Endpoint Security)”. Not only are these events a great place to network with other professionals but also share tribal knowledge with one another so that new ideas and concepts can be conceived. Here are some interesting topics that were shared that I think anyone involved in security should think about.
“Don’t focus on a single security discipline”
Conversations around “what are the biggest threats today” and “how to keep endpoints secure from new emerging threats” were in abundance. Advice from panelists included focusing on a multi-layer or multi-discipline security strategy. Too many times organizations focus in on a single security layer like endpoints or a single threat like malware and assume that will keep them protected. However, just like businesses are wanting to grow and adapt, the bad actors are also growing and adapting. This is why identity governance should be a part of any security plan. You can have the most advanced lock on a door, but if you do not know who has a key or how many keys are out there, the lock is useless. In addition, even if they’re allowed to gain entry to your ‘house’, how do you ensure they’re not going into rooms and accessing drawers and cabinets that do not pertain to them? The same is true for securing your IT environment if you cannot answer and control who has access, who should have access, and what are they doing with that access, do not assume you are secure.
“Security must be frictionless to be successful”
Many times, security controls and business processes conflict and this can lead to security controls not being followed correctly or even worse ignored. When this happens, risk increases. A former local government CISO explained how he was required to work with over twenty different government departments, each with their own goals and processes. He spent over nine months working with each department to understand how their organization worked and how security controls could be implemented with the least amount of friction. This led to an increase in trust between teams and an increase in the adoption of security controls. This same frictionless approach also applies to identity. This means understanding how your organization does business and then building in tools and processes to help enable workers to get work done more efficiently and more securely. This can range from automating day-1 access for new workers, implementing self-service access requests and password resets, all the way to AI-driven recommendations to help business managers make faster and more confident access decisions.
“Treat users as partners”
In talking with attendees and in both panel sessions, security professionals are still struggling with making sure that new processes were taking hold with users. This is because many times new security processes are pushed to users with a “you shall do this because I said so” mentality. However, there were a few security professionals who have been ‘thinking out of the box’ and it’s resulted in them becoming security best practice enablers to their users. They are doing this by holding Lunch and Learns to educate their users on how to better protect their personal identities online. The good news is that they’re finding that this is having a positive impact as these users are also adapting these practices within the organization’s IT environment. Another concession shared was to allow users to retain their corporate passwords for a longer period of time, based on the strength of the password. Overall, by educating and giving more power to users, you may see more engagement when new security processes are implemented and stronger security.
Cybersecurity is constantly growing and changing to respond to new threats and attacks. It also means how security professionals approach their work needs to keep growing and changing. However, many times we become too focused on a particular problem or specific technology that we lose sight of the bigger picture. The more security professionals are out learning and sharing with one another at events such as SecureWorld, the more resilient our organizations can become. To dig deeper into how identity is enabling organizations to realize a more secure environment – check out this blog.