Fighting the good fight takes specialized knowledge. Here’s the baseline of what all security pros should know.
Basic common defenses
Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:
- Patch Management
- End-User Training
- Secure Configurations
- Intrusion Detection
Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do. If you want to know which two defenses help decrease the most risk, read this.
What four factors make cloud security more complex than traditional networks?
- Lack of control
- Always available on the internet
- Multi-tenancy (shared services/servers)
The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users in the cloud. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multi-tenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand. Want to dig deeper into this topic? I recommend starting with this article on cloud security.
Threat education and communication
Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company. So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.
Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.
Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:
- The most likely, significant, threats and risks against the organization
- Acceptable use
- Security policy
- How to authenticate and what to avoid
- Data protection
- Social engineering awareness
- How and when to report suspicious security incidents
Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.
Follow the link to find all twelve;