With all of these security breaches making the news headlines on a weekly (sometimes daily) basis, one can imagine that there is (or should be) a renewed focus on how organizations secure their information assets.
There are many products available on the market which can assist with this task – newer application-based firewalls, Intrusion Detection and Prevention devices, Internet access gateways, Security Information and Event Management (SIEM) and the list goes on. However, these products will not adequately protect the environment unless they are paid attention to by an information security professional.
In the absense of human attention the symptoms become apparent; Unpatched systems, security breaches going unnoticed, misconfigured access control lists and a lack of documentation are just a few issues resulting from the lack of human oversight. When a breach occurs, it is often revealed to be simple enough that even a novice security person could have identified them as a potential issue. It becomes obvious that sufficient resources were not available to properly review these systems or pay attention to the overall security posture of their environment.
It’s hard to believe this bit of common sense is so often overlooked, however I firmly believe the biggest threats to security today are not deficiencies in electronic security countermeasures but shrinking IT budgets, with the acquisition of additional security personnel required to ensure the security of the organizations assets falling by the wayside.
In the public sector, a perception exists that investing in information security offers no value to the business. However, this mindset has been rigorously tested over the last year with company reputations being (perhaps irreparably) damaged when a security breach occurs, a cost which far exceeds the amount that could have been spent on properly securing their environment.