skip-security-theater

Let’s Skip the Security Theater

A friend recently asked me, since I’m “in the security game”, how to protect his home from thieves. He also didn’t want to drop too much money into this, so he was looking for, as he said, creative ways to “do security.

OK, maybe a little quirky, but perhaps these might work:

  • Affix fake security patrol signage to your house: You’ve seen these; they’re signs and stickers that say things like, “This property is on 24 hour super security watch and violators are hosed if they try anything.” Most thieves will target your home, however, if you do this. They know that someone who paid the $47 for the signs and spent a Saturday afternoon putting them up now thinks their security job is done. In other words, their defenses are down, way down.
  • Hire a team of bearded guys who look like Navy SEALs to walk around your front yard a lot: This is a viable strategy for those with unemployed brothers and uncles who like to take short breaks from “Call of Duty” marathons.
  • Stage a highly publicized and visible theft of your own home: Make it look like you got robbed, and thieves will presume all the good stuff is gone. This will traumatize your children and cause minor damage to your front door and marriage, but it’ll be good times when you retell the story for years to come about being in police custody overnight.

Now, these examples may sound lame, but they aren’t far off from they security show some companies put on for executive management, boards of directors, auditors and customers. . Ultimately, the question needs to be asked: is this actually making my home safer?

Quite often, our approach to security is like our approach to documenting our lives on Instagram; it looks fabulous, but it’s not truly representative of reality. I know it looks like we party, most nights we’re actually binge-watching Stranger Things while nursing a tub of Ben & Jerry’s Chocolate Fudge Brownie.

It’s okay that what’s visible and what’s real don’t always jibe when you’re fibbing about a restaurant you’ve never actually been to. But when you’re tasked with protecting sensitive data that could be nefariously used to throw people’s lives into chaos or destroy a company’s brand, there is no room for being cavalier.

Many have fallen susceptible to what amounts to this security theater, and I’d venture to guess that it happens more often than we’d like. Maybe they’ve been given a 30-day mandate by the CEO to strengthen their security posture; not enough time to create anything meaningful, so they resort to bandages and rudimentary fixes. Or perhaps there really is a mindset that the presence of a firewall will keep hackers away from their cloud environment. Whether it’s ignorance, lack of resources, or willful lack of caring, the result is something that looks like security, but amounts to nothing. Hackers are thieves, and thieves think differently than the rest of us. You can’t just outwit them, you have to actually prevent them from doing what they want to do.

Enterprise cloud security simply cannot be addressed with window dressing. The effort taken and the tools applied must show demonstrable progress towards protecting your data and assets, and providing a sustainable advantage over hackers. That has to be embedded into business and IT operations, and smart organizations understand the different elements required to avoid threats, as well as meet them when they occur.

There are a number of important best practices that companies must rigorously abide by and bake into their regular operational effort. In parallel with that, automated detection and continuous visibility into your cloud environment is critical. If you can’t see what’s happening and be alerted to it, damage can happen before it can be addressed. At the foundation of the Evident Security Platform (ESP®) is continuous monitoring and reporting of security controls. The ability to drill down from a report to a control and then down to the actual risks that are presented in the cloud environment are what make continuous visibility the most critical step in achieving control. Historical views of your risk level over time helps you measure and communicate the progress you and your team are making in your overall security. There are two significant reports, included with every ESP account, that help you establish what we think should be your minimum level of security compliance: AWS S3 Security, and CIS AWS Foundations Benchmark . Aim to get to 100% on both those reports every day and no one can claim that you’re not taking security seriously.

When strict security measures and compliance controls are built into your business processes, actual security happens and value is recognized for IT users and business teams.