Enter “how to avoid a security breach” in any search engine and you will see no shortage of opinion and advice. Some of it salient and wise. Some of it questionable and dangerous. This article is based on twenty five years spent in the financial, health care and telecommunication industries focusing on technical and security issues. I have personally been involved in handling three significant security breaches, dozens of reputation affecting security events, and thousands of security incidents affecting productivity.
Organization size and security budget applied are irrelevant to the competency and preparedness of IT people responsible for that security. I have seen effective security programs on a shoe string budget and grossly ineffective programs with big budget, corporate authority, and scores of security people.
So, how do credit unions and other financial institutions avoid a security breach? Below are the hard realities:
#1. Accept You Cannot Avoid A Security Breach. If they want in, they will get in. The state of the criminal underworld’s technical expertise is as advanced, if not higher, than government’s law enforcement and the best corporate security organizations around the world. Information Security is a billion dollar industry and as long as software and people mix, security will always be on the radar and someone will find a way to break it. The real problem is unrealistic expectations.
- Accept that all strategic initiatives and decisions create the potential for security events. Involve your technical and security teams early in the decisioning process to walk through the risk, before investments are made and resources spent. There is no such thing as a zero-risk initiative or customer product.
- Mitigate risk by developing a risk acceptance program across all departments. Give the program teeth with leadership involvement and signature and review on a cadence, every three to six months. Give awareness to the risks up and down the chain of command so teams can prioritize and focus safely.
- Develop an ownership culture. Every worker owns their role and contribution. Then empower identified high-risk teams with ideas to solve, give time to employ ideas, and reward ingenuity. Give people a reason to get the organization buttoned up and care about security versus fear and threats.
#2. Your People’s Ethics and Values Are the Security Risk. Culture is king. Are you hiring for skills or for culture? Are your people enforcing the organizations’ mission and values or are you not sure? So many organizations hire for skill first and see culture and values as secondary or not at all. Without leadership, your work force will make decisions that may not be in the best interest of your organization. Or worse, workers will disengage, not care, and produce at the minimal level which opens the door for a security event. The problem is leadership.
- Define and communicate the organizations’ mission, values and ethics, and each person’s contribution how it enforces culture. Leaders need to live the values, show the ethics, demonstrating consistency to mission and protection of culture.
- Spend considerable time in the hiring process to ensure quality candidates meet multiple objectives. In many cases, not enough time is spent recruiting talented people with the right business skills focused on enforcing the culture the organization is building.
- Avoid omnipotent information security or technology teams. Do not accept convenient cessation of mission and values in the conduct of a security event or incident. Instead, cultivate partnership and consultation versus negative and inflammatory rhetoric during collaboration.
#3. Constantly Identify and Communicate Where You Are Weak. So many security events and incidents occur when leaders do not have visibility on the various states of their operation. I’ve witnessed fear in letting senior leaders know infrastructure weaknesses, fear of being accountable, and succumbing to political pressure for fear of losing a customer or their job. I’ve also seen experts hired to fix the larger issues, then marginalized and ignored trying to raise red flags as the culture doesn’t support reporting of defects or acceptance of failure. Last, is the demanding of interpersonal savvy interaction versus academic debate of the solutions to problems. The problem is communication.
- Change culture. Routinely ask and reward the concept of feedback and need for academic debate. Leaders need to practice not just accepting feedback, but giving feedback by mentoring and teaching business methods and practices.
- Provide and educate on tools to help communicate and collaborate. ITSM, Intranet, Email, IM, Yammer, or phone number to call. Any one or all of these tools should be available within the organization.
- Establish trust and build confidence with policies on safe harbor, whistleblowing, and non-retaliatory behavior. Incidents should go directly to senior levels and managed justly against the organizations ethics and values policies.
#4. Operational Complexity and Inconsistency Increase Security Difficulty. In other words, the more difficult the infrastructure architecture, the more difficult security incidents are to detect. The more entangled and complex the operation is performed, the tougher security events are to detect! Our smartest people have a tendency to over think and over complicate. Everything from poorly thought through technical solutions, quick and dirty fixes to complex problems, to trying to address every possibility, ending up consuming hundreds of hours on the less than 1% situations.
- Embrace and evangelize simplicity in the corporate philosophy. Seek out and destroy complexity with Lean or Six Sigma methodology. Business operations and technology teams, alike.
- Focus internal training on how your business works and reward competency. Everyone needs to understand the basics of the operation, the importance of the product delivered to the customer, and the risks involved conducting business. If unaware of these areas, risks cannot be identified nor can anomalous behavior spotted. Investing in operational knowledge increases technical security people’s capabilities to catch events, else may be disregarded as default or symptomatic.
- Measure only what is important. Do not measure for the sake of, which is a resource waste. Measure for developing of the baseline so consistency in delivery can be watched and alerted upon. Focusing more on the myriad of measurements and less on the consistent outcomes, the more difficult security incidents become to detect.
#5. Information Security is a program: No one person or tool does it all. The InfoSec industry is at full throttle with the media reporting on every security breach that affects our money, our safety, and our security. Wholesale consumer trust has eroded and is hot news. In response, organizations react with security staffing, purchasing and deployment of many security tool sets to report against security policies written. Some organizations expect immediate ROI, putting pressure on security personnel to deliver assurances to business units and customers alike. Where is the evidentiary data and quantification of information security and risk? How many tools or people does it take?
- Implement security awareness education and training for everyone. This prevailing advice is simple and advertised for years as common practice, yet many organizations still do not do it. Or, they do not invest enough to make it effective nor measure it over time with testing.
- Incorporate Information Security methods and practices into the DNA of every Information Technologist in the department. From the help desk to the architect and everyone in between. This knowledge is no longer an “InfoSec” problem, but a business problem foremost that technology people can help with.
- Take hard looks at what types of tools and how many before deciding what to invest in. Frankly, this is one area InfoSec tools has the most opportunity to improve. So many tools are singular focused and require other tools for analytics and reporting. Yet, it’s easy to go nuts with tools that only do one or two things and eat precious budget. Lean on your security vendors to do more and provide more… with less. Vote with your dollars, if they don’t listen or perform.
Technology alone is not the source to blame for security breaches. It’s the choices made with our workforce, whether inside a credit union, another financial institution, or any business. It’s critical to recognize leadership, people, and knowledge management play the pivotal role in security breach chance possibilities.
Nevertheless, those leaders who start with these perspectives first should heed what is said here before you focus on the technology side of the business problem.