While looking around at the 17,500 IT security pros—and, yes, hackers—in attendance at Black Hat 2017, I noticed something: Everyone seemed... tired. I'm sure it didn't help that the temperature was well over 100 degrees, or that scoring free swag at the show required loads of walking. But, there's more on the minds of IT teams. Specifically, compliance. As it gets more difficult to be compliant, an increasing amount of pressure is falling on IT teams to innovate—or better yet, use technology to disrupt the space.
McAfee Labs revealed that 93 percent of IT pros find the volume of daily security alerts exhausting. And due to a lack of resources and energy, only 18 percent of organizations are actually in compliance between audits. Ladies and gentlemen: Compliance fatigue is real, and it just might be more tiring than a July trade show in the desert.
Managing IT: Rock, meet hard place
With rising compliance requirements and costs, businesses are forced to dedicate significant resources toward tracking regulatory changes or outsourcing compliance activities just to stay on the up-and-up. With the average data breach cost approaching tens of millions in regulatory fees and cleanup, 60 percent of IT pros are concerned that non-compliance carries personal liability in addition to organizational risk.
HVAC systems, POS terminals, Wi-Fi routers, and vending machines are just a few smart endpoints on your company's network. Even though these have all been successfully hacked in the past, a few seemingly innocuous technologies have been linked to high-profile, expensive data breaches. HP security advisor, Dr. Kimberlee Brannock, shared insight into why we can't afford to ignore governance, compliance, and security in her Black Hat 2017 briefing. She also discussed why the right mix of all three elements is the smartest way to protect your organization's data.
Today's security pros are balancing competing priorities when it comes to security. They're working to mitigate the risk of cyber attacks, and they're adopting safeguards against internal or external data theft. IT teams are also balancing the rapidly changing, steep measures for meeting legal and regulatory requirements and industry standards through audits.
Security innovation is key to staying afloat
As organizations and consumers change the ways they interact with technology and the world around them, innovating is necessary. Brannock cited massive increases in data assets, rapid adoption of IoT devices, and rapid growth in security threats as the three reasons why IT teams need to innovate or get left behind when it comes to staying secure.
Luckily, there's little need to reinvent the wheel. There's an abundance of frameworks that IT pros can use to manage security. Brannock recommended that IT teams avoid ignoring the importance of security-driven culture, and place the responsibility of protecting information on every single employee. With smarter tools for awareness training and education; the adoption of a solid framework (like the National Institute of Standards and Technology) for cybersecurity; and the acquisition of intelligent tools loaded with built-in security measures, companies can stay afloat without losing their minds due to compliance fatigue or its lesser-known counterpart, threat burnout.
Effective governance equals less IT headaches
In IT, governance is defined as "levers for accountability." It can involve policies, management controls, and processes to ensure everyone's held accountable for what they need to be doing (protecting sensitive data assets). Not only does effective governance reduce your firm's likelihood of suffering a cybersecurity attack, it can also reduce the number of IT-team headaches associated with personal liability if their firms are hit by data breaches.
Governance should cover your internal stakeholders and extend to your vendors and tech partners. The US federal government recommends that IoT device manufacturers incorporate security principles into the very design of connected products for your company's network. Ensuring that your vendors are accountable for security innovation at the firmware level will make your organization far more secure. It will also reduce your risks in the process.
Brannock's best Black Hat 2017 tips
Every IT pro wants a few things in life: reduced security risks, total compliance, and a little energy at the end of the day to Google the wackiest new tech gadgets during their commute home. Based on her 16 years of experience with HP security, Brannock shared a few recommendations on how IT pros can make security easier, starting today:
- Shop by security. Draw a line in the sand when it comes to your governance by selecting your technologies, including hardware, software, and connected devices, based on built-in security features like self-healing and the ability to detect security attacks.
- Don't use defaults. A staggering amount of routers, VoIP phones, and printers are operating with default passwords, like "admin." By building policies and controls to ensure nothing is connected to your network without adequate password protection, you could reduce quite a bit of risk.
- Don't share access. It's hard to build a culture of accountability when 40 people are sharing the same admin credentials. Encourage personal accountability and achieve compliance by making sure individuals have unique access and the least amount of access necessary.
Security pros need to adapt and change their methods of protecting sensitive data, and fast—because the bad guys are innovating, too. Throw away your compliance fatigue and fears of personal accountability by understanding how governance can support security and compliance, while holding your IoT vendors accountable for device security.
Continue the Black Hat 2017 journey on Tektonika with "Black Hat 2017: Michael Howard talks sheep, hackers, and urgency," featuring more of our on-the-ground coverage!
Photo courtesy of Black Hat