For quite some time now, I've kept my employers confidential due to concern over being targeted by foreign entities in relation to my work I've performed for various Federal agencies. It's been an interesting run, providing my expertise to Defense Information Systems Agency, Department of Veterans Affairs, the Census Bureau, and various private companies over the years. I've worked with state-of-the-art computer systems distributed across the country, as well as worked with computer systems which are actually older than me but still up and running (and I just recently turned 40).
Three books, and thousands of tweets later, and I still feel like I've only scratched the surface of the real depth, and scope, of the cyber security realm.
So what's next? Where do I go from here?
I'm happy to announce that starting March 1, I'll be performing research and analysis for Enterprise Management Associates. I'm setting aside my system administrator and application developer hats, and focusing on my true passion - security and risk management.
For a long time, I have been a vocal advocate of proactive cyber security. Now, I get to take that advocacy to the next level, analyzing technologies and vendors, and helping shape the future direction of the cyber security industry.
We need to move beyond reactive "respond, remediate, repeat", and move forward to proactive monitoring of not only vulnerabilities, but also threats. The cyber security industry as a whole needs to do a better job of preventing incidents, instead of just responding to them. This requires not just better technology, but a shift in mindset, removing patch management and security configuration management from the Information Technology (IT) department, and into the Security Operations Center (SOC). Of course, such a shift will not be easy, and configuration and patch management will still require rigorous testing. However, by shifting these responsibilities to the SOC, IT will have valuable resources freed to address non-security issues, and keep the enterprise up and running, while working together with the SOC to keep the enterprise secured.
We need to embrace artificial intelligence, analyzing user behavior for malicious patterns. We need to begin training users to always be on the defensive against cyber attacks, and refusing to compromise organizational security policies due to a "C-level" emergency. And finally, we need to look at Cyber Security not as a business expense, but as a business investment, measuring success based upon the cost savings every time an incident is prevented.
The cyber security game of cat-and-mouse will never end, and we'll never win the game just by building better mouse traps. We need to understand the "mice" and take better steps to prevent them from getting to the "cheese", the valuable data we have been entrusted to protect.
We can do better.
Ken is a Cyber Security professional with over 15 years of experience. All opinions are his own, and do not reflect the opinions of his employer or clients.
Can't wait for you to start!
ReplyDelete