We continue with our “007 Life Lessons through the Verizon Breach Report” series, which combines lessons from the gadget wielding international crime-fighter, James Bond with data from the DBIR to secure our enterprises. Today is the turn of lesson 3: Innovation.
These lessons come from a recent presentation by our CEO Anders Norremo and Jason Torres from Rush University Medical Center at the 7th Annual Hacking Conference by ISACA and The Institute of Internal Auditors.
What does it mean to innovate?
The landscape of cyber security solutions is huge and growing everyday, fueled by a strong influx of venture capital.
At the same time, cyber security managers and directors encounter more and more potential risks and start looking for the right tools to reduce them with the minimum amount of effort possible.
Does that mean that we as an industry are innovating? The answer is both yes and no.
Innovative tools are built everyday, but often they are just too hard to use. Leonardo da Vinci once said, and Steve Jobs at Apple later adopted, that “Simplicity is the ultimate form of sophistication”.
In other words, our innovative tools must be easy to use. This is more important now than ever, as we are seeing a shift in the workforce.
Managing security is no longer purchasing tools for your network engineers or developers. Consider a hospital, where nurses are now interacting with a number of different solutions, or manufacturing workers who are incorporating technology to their processes.
The workforce is becoming digitized across all industries, but not all workers are heavy users of technology. So simplicity becomes the key to make it effectively available for everybody.
What would James Bond do?
Let’s draw a parallel to James Bond, who inspired this series of blogs. In the movie “Tomorrow Never Dies”, there’s a famous garage scene where he gets ambushed by countless numbers of Elliott Carvers goons.
During this scene Bond drives the car at break neck speed forwards and backwards all while hunched down in the back seat. He shoots missiles and deploys tire shredders all from a 1997 era “smartphone”.
How did he do this?
Bond famously never trains or tests out his gadgets. When he is around Q he’s more focused on coming up with clever lines than learning how to use the gadget.
The secret is that Q always makes it so easy that he doesn’t need any training. He can actually learn on the fly on his own.
The lesson learned there is that cyber security should be similar to this. Technology needs to be built on the premise that users at all levels can leverage functionality, even if they don’t have a technical background. So when introducing a new feature, let’s do it Q’s way – let others quickly see the effectiveness for themselves.
We all love to work and invest on innovation, but we can’t let it negatively affect the ease of use. The primary driver for any innovation should be improving the experience for cyber security professionals.
How does this relate to the Verizon Data Breach Investigation Report?
We’ve previously discussed that credential dumps are a big issue. In fact, stolen credentials are the top type of attack that’s affecting organizations, as a result of attackers abusing both compromised accounts and system vulnerabilities.
A knee jerk reaction to this insight would be to use stronger passwords and increase the complexity rules around them, but this tends to be ineffective at a policy compliance level.
Instead of applying restrictions, a better approach would be to turn this into a positive. Utilizing a SSO that across the board makes it easier to manage access, and can be secured with multi-factor authentication and more security controls.
This would be a good step towards addressing the number one threat enterprises are facing when it comes to cyber attacks.
Taking this a step further, when it comes to managing security, doing the same thing all the time is not necessarily the answer. Don’t be afraid to innovate your security approach from a thought perspective, as well as a technology solution perspective.
Changing our thinking leads to changing our focus, which leads to true security innovation. If attackers are looking for every angle to exploit, and James Bond is looking at all the angles to save the day, why can’t we do the same in security?
To learn more about how ThirdPartyTrust can help you manage third-party risk across your organization, request your free trial now: