Does your organization take cyber security seriously?
“Sure, we meet all the regulatory compliance regulations,” you might say.
Okay, fair enough. Let me rephrase that. Do you deploy IT security products purely to check boxes and meet compliance requirements? Or are you are actually concerned about security?
In a survey we carried out last year at RSA Conference, more than 60% of delegates admitted that they had deployed a cyber security product purely to meet compliance regulations. You can read details about that survey here: https://liebsoft.com/news-events/2015-information-security-survey/
But being compliant doesn’t mean being protected. There are no IT security products that can just be deployed seamlessly in an enterprise and forgotten about. We have to give our security products some TLC to get the maximum security potential. And some are needier than others.
What’s troubling is that almost 70% of organizations don’t think they get the most from their security products because they are too complicated, too time-consuming or need certain expertise. And the majority of those respondents confess to knowing that their companies are at risk because they are not using security products to their full potential.
Although there is much work to be done by suppliers, there are several things these organizations can do now to reduce risk and use security products to their full potential.
Getting the Full Potential Out of Your IT Security Products
First, pick carefully. Just like buying branded products in a supermarket as opposed to their identical supermarket own-brand counterparts, too many businesses get sucked in by the biggest brand names in security with little regard for what they actually need.
Start by asking a few key questions before you commit to a new product.
- Do you have existing IT security knowledge or will you have to hire someone?
- Can you deploy the product in-house or will a managed service make more sense?
- What is the support like?
- Is training offered by the manufacturer or reseller?
- Is the supplier sufficiently responsive to your communications?
Trust me, if the vendor isn’t helpful at the start when trying to make the sale, then there’s no hope when it comes to support later on.
Get Trained and Stay Up to Date
Along with the security product itself, you should always be given training, whether it is sold directly from the manufacturer or through other channels. Spend a good amount of time learning the product when you first install it and then review and refresh monthly or quarterly, as needed.
After all, if you’re not using the product correctly, you might as well not have it at all.
Security Compliance is Not a point in Time Exercise
The main driver for a lot of organizations when searching for security products is meeting regulatory compliance regulations. But that’s not enough. Globally, the US has the highest number of data breaches. And at one point, each of these companies were probably compliant, maybe even at the time of the breach. However, many would have forgotten about compliance as soon as they passed their audit, defeating the point in the first place.
Compliance should be continuous, not a one-time event. Some products make compliance easier to maintain than others, so do your homework.
It’s great that organizations are thinking about compliance. However, we need more emphasis on security. A security product will fail if it’s not implemented and maintained correctly. So every penny and minute that goes into choosing and maintaining the right product is worth it.
If your company is breached it won’t be your security product’s name that gets dragged through the mud. It will be yours. So remember this mantra: “no compliance for compliance’s sake”.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.