Ask any rugby player, watch any game — a team’s attack lives and dies with its forwards. The forwards give the primary ball handlers time to make smart choices against oncoming threats, which paves the path for the team to advance.
In a world that moves lightning fast, holistic security is at the heart of an enterprise’s speed offence. The security team is the company’s front row – one that requires the awareness, focus, and flexibility to address threats. Not only does a versatile, cloud-native security team give leaders the breathing room to make decisions, but it also opens lanes for continuous innovation and deployment.
>See also: Enterprise security is a matter of policy
The Equifax hack was a wakeup call. But attacks at this scale have happened before and will continue to happen again as long as an old-school security approach continues.
Everyone, from the CEO to the security team to the engineers, needs to be aligned on the same strategy— so here are some tips from my playbook that might help you avoid a crushing defeat.
Know your weaknesses
The biggest risk to enterprise is legacy infrastructure and a legacy mindset. If a company wants to succeed, the whole team must make it a priority to re-platform onto a modern, flexible system in a cloud-native approach. If you keep pushing off and avoid dealing with old configurations, you’re going to get caught.
Create a supporting environment
Although backs are generally associated with the more stylish side of the game, showing off speed and innovation, a team must also develop those taking on less glamorous roles in the background, which for enterprises means allocating meaningful budget and resources to security.
Keep in mind too that wrong-spotting is easy and often disproportionately weighed when evaluating a security team’s performance, so select a security team you will place your faith in and trust to clean up mistakes when they occur. And if you can’t find enough talent in your squad, consider transfers from strategic partners that will give you the right technology and people to propel you forward.
Make sure the team has the right fundamentals
Once your security team is put together, don’t keep them — or their mentality — isolated. Just as backs are also required to tackle, every group in your organisation needs to understand the importance of security.
This is why a balanced team approach to software, with embedded security experts, will keep an organisation more protected. Security can’t be handed off or pieced together, it has to have a foundational philosophy that can guide everyone on the team.
Get smart, go modern
You have to replace your outdated tech. A lot of outdated tech that relies on old software can be just the crack an attacker needs. Chromebooks are a good example of newer laptops that are immune from traditional viruses. Chromebooks are better because they patch and repair themselves automatically.
These updates essentially repave the laptop frequently. They are simple, so they have a reduced attack surface area, and they are strongly opinionated about the types of applications they will run. Working in a new, modern way means you’ll be working in a way that’s more secure.
Keep them guessing
It all happens at the breakdown (or in this case, production), that’s where you can keep attackers guessing — by switching the play at the right time. Say a credential leaks. Well, what if you had a service that updated all your credentials automatically multiple times a day? Meaning that leak would only be good for a window of a few minutes. This limits the amount of time bad actors have in your system and the damage they can do.
A post-match interview on Equifax
People and businesses will only learn so much from public hearings or trials in which Equifax participates. And the details will likely never become clear, because the problems are rooted in the company’s culture.
The blame game can be satisfying, and making fun of it can be hilarious, but these attitudes ignore the pervasive avoidance and excessive caution that keeps most enterprise security teams 10 years behind the times. Security teams at older enterprise companies are fighting a losing battle, constantly hearing “no” and not getting the resources they need.
In the future, security will have greater clout and respect, which will be seen in personnel shifts, modern technology and new playbooks.
But this can only happen if the team there builds a solid forward pack — one that’s willing to take everything the opposing forces will throw at it, and one that will passionately work towards scoring a ‘try,’ even when it is seemingly impossible.
Sourced by Justin Smith, chief security officer, Pivotal