Welcome to RSA 2012 – and the world of 2012 cybersecurity defences
With the RSA Security Conference now upon us in the US – and with a welter of really interesting announcements coming out of the San Francisco event – I was intrigued to read a guest column from Art Coviello, the executive vice president of EMC, the parent company to RSA Security, on Forbes.
Coviello’s comments – citing the Bob Dylan track, `the times, they are a changin’ – are bang on the money, especially when he recommends that IT security now needs to be a board level discussion.
This coincides with our thoughts here at Avecto, as the involvement of a board level discussion on security will help IT security managers to determine the `sweet spot’ where the organization has invested in sufficient security to say it has carried out what any reasonable company would do to defend its digital assets.
And in today’s security governance-rich environment, the expensive cost of reaching that sweet spot can be lowered by adopting a multi-layered approach to IT security and so help to ensure that the advantages of one type of security can offset the disadvantage – namely the weak spots – of another system.
At the risk of sounding like an accountant, this all comes down to the risk/reward balancing game which Coviello hints at in his column, but with the additional factor of cost entering the equation.
The EMC/RSA chief is, of course, quite correct in his assertion that the security world is changing, but our belief is that it’s not just about balancing risk with security, it’s also about balancing the cost of the security against the reward in terms of the level of security assurance that the expenditure will generate for a typical company.
And whilst there is no such thing as absolute IT security in today’s multi-vectored threat landscape, it is clear that multiple layers of defense can often produce a better overall return on investment curve than if just one or two layers of security are involved.
Our experience suggests that treating the governance levels of, for example, the PCI Security Standards Council as a starting point in security terms and working upwards – depending on the risk/cost/reward stance your organization is prepared to invest in – is the best way forward.
And when you factor in Coviello’s sound advice that you need to continue to evolve your organization’s thinking about security – working on the premise that shared knowledge is a powerful advantage – you realize that adding extra layers of defenses – such as a Windows privileged account management system that lowers your security risk profile – can help tremendously in the risk/cost/reward stakes.
The ideal solution is to apply least privilege principles to as many users as possible, with specific members of staff having limited access to admin facilities and, even then, only on the specific applications they need access to on a regular basis.
Our approach with Windows privilege management is to give users only the access and privileges they need to complete the task at hand. In most cases this will be for specific applications, tasks or scripts, and by assigning specific rights to those applications, you no longer need to give them to users. As Windows security expert Russell Smith, explains in his book ‘Least Privilege Security for Windows7, Vista and XP’, taking away user privileges can be similar to taking a toy away from a small child. Bottom line is that user expectations have a real impact on the security of any organization, so empowering them to perform their role without compromising the integrity or security of their systems makes good financial sense.
As Coviello says in his column, as cyber threats escalate, we must invest in building a cybersecurity workforce with the requisite skills to defend enterprises, governments, and critical infrastructures.
And whilst – again as the EMC/RSA chief against observes – these individuals need a 360-degree view of security that combines computer science, risk assessment, analytics, digital forensics, and human behavior – it should also be clear that the addition of multiple layers of security can only enhance the risk/cost/reward ratios.
Even if you’re not a board level professional, that should still make you smile.