Peter George's blog post was featured
Touchdown or Touchback: Cybersecurity in Training Camp
There’s been a lot of chatter in the industry about the value of third party product testing, and I’m feeling like I need to weigh in.I love an analogy when it works -- particularly a football one -- and in this case it does. We are just away from the start of NFL training camps and the beloved and bemoaned pre-season, that several week process during which coaches put players through their paces to see which ones have what it takes to help their team battle for the Vince Lombardi trophy. They are looking at several elements -- skill, gamesmanship, attitude, competitiveness, toughness, etc. But the extent of the evaluation doesn't start and stop there. Prior performance is evaluated, including stats and outcomes from college, the combines or other NFL teams. As we all know, some make the cut and some don’t.This evaluation process is very relevant to how companies should evaluate the technologies and vendor partners they engage with to enhance their security posture. However, I think it’s fair to say that the cyber battles companies are facing today are far more daunting than the road to the Superbowl, yet there is often greater scrutiny of football players than there is of technology and vendor partners.While we watch our favorite players closely -- dissecting their running, jumping, catching, throwing, kicking and numerous other talents, judging them on differences of milliseconds and commenting on changes between regular and post-season play -- when was the last time your cyber technology and vendor partners were scrutinized as closely?The road to the Superbowl offers some clarity as teams will face most of their possible opponents prior to battling it out on the gridiron for the big game. This allows coaches to decipher what the opponent’s strategies have been in the past, which players are the real threats, etc. And it’s a fair game -- 11 players against 11 players at any one time. The cyber battlefield offers none of that clarity, insight, information or fairness. The opponent is anonymous, often well-funded and highly motivated to marginalize your defense.Add to that the other factors impacting the cyber landscape. The attack surface continues to increase and expand. Between the bring your own device (BYOD) revolution, cloud and other consumerization trends, more devices and access points are being introduced into the corporate network. And each one represents a new way for attackers to get inside -- a problem which is only going to increase exponentially as we keep moving toward the Internet of Things. Additionally, if it’s not enough to have to worry about your own network, what about those of your partners or customers to which you've granted some sort of access? The danger posed by granting third parties access became painfully apparent in the last year, but it’s a reality of today’s business environment and unavoidable for most organizations.The other reality, which most have finally accepted, is that there are only two kinds of companies today -- those who have been hacked and know it, and those who have been hacked and don’t know it. Presuming you've come to grips with the fact that it’s impossible to architect a 100 percent secure environment, don’t you want to be in the first camp and know you are being, or have been, attacked? If so, you should be applying a rigorous security technology and vendor evaluation process that most certainly includes how both the technology and vendor perform in your own testing and testing by others. Importantly, this should apply to new technologies and vendors being considered, as well as those you are already using. Just as veteran team players are run through the rigors of training camp each year to ensure they have what it takes for the coming season, you need to periodically assess if you have the right players on your cyber team as the security landscape continues to change and evolve.Additionally, you need to ask yourself if some of the vendors on your team have overlapping skills and can be consolidated. Have they been tested by third parties, and, if so, how did they perform? How well do their abilities match up to the risks you've identified, based on your testing and third party testing -- not their marketing material?Third party testing is a bit like relying on a scout, rather than a player’s agent, to evaluate a player. You know what your team needs, but a scout knows how to evaluate players objectively and assess if they’re really all that their agent and the hype around them says they are. Some scoff at third party testing, saying it’s next to impossible to have well-defined security categories to produce an apples-to-apple comparison. However, like NFL scouts, third party testers do these evaluations for a living. They have the experience and perspective you may not have, and they have the time and typically the resources to try a variety of scenarios. So, while I believe you should be doing testing in your own environment, there is absolutely value for you in the results of third party tests. You should be urging your vendor partners to participate in them and to share the results with you, for additional context in your decision-making process.Selecting technologies and vendor partners to put your trust in to help you minimize risk and keep your network secure is a significant decision. While it’s important to act quickly against aggressive threat, make sure you’re looking for more than just a quick decision when assembling your team. While it certainly doesn't have to take as long as the NFL training camps and pre-season, I encourage you to have an understanding of your unique risk landscape, and to hold your technology and vendor partners accountable for demonstrating that they are well-suited to address those risks by showing you more than just marketing materials. I’m seeing too many situations where organizations took action for the sake of taking action and they now have solutions in place that don’t adequately address their risks. Don’t let this be you, because a breach happens faster than you can say “Touchdown!”Peter George is President and CEO of Fidelis Security Systems.See More