It takes a confident IT department to admit they don’t know what they don’t know. There is immeasurable pressure on IT departments and specifically the folks responsible for security to assure their board and management that they have done everything with the resources they have been given to secure the organization’s high-value assets from a data breach.
Herein lies the problem. Management tends to treat security expenditures the way they treat productivity software purchases – check the checkbox, one and done. Unfortunately, security is not a destination but rather a journey. The “destination” mindset forces the security department to ignore their natural inquisitive tendency of discovery and forces them to adopt an ostrich approach.
Gaining visibility into the “unknown” requires specialized tools. These tools provide visibility into unknown and unauthorized activity, activity that is allowed by traditional defenses. These tools take the “allowed” data and analyze it against what is authorized to happen, highlighting unknown potential threats.
Getting an organization to focus on discovering what they don’t know takes confident leadership. It is far better to be the voice of reality continually pushing to bring visibility to what is really happening within the network than to take the ostrich approach and hope that your organization will not be breached. It is commonly accepted that a breach is inevitable and the job of the security department is to minimize that risk and contain the inevitable breach with little or no impact on the organization’s high-value assets.
I salute the self-confident purveyors of security that acknowledge they don’t know what they don’t know and press on to narrow that knowledge gap.
Author: Greg Guidice, RazorThreat