TierPoint Summit Keynote Provides Good Lessons for Developing Security Strategy

By Mike Sander, TierPoint Senior Solutions Engineer

Last week I had the privilege of attending TierPoint’s annual Security Summit in Omaha.

Former White House CIO Theresa Payton presented a well-received keynote address about security lessons she learned serving the president.  Attendees said they enjoyed the talk because it provided a business context around an organization’s security needs, as well as ideas to address the added pressure they feel with high-profile cyberattacks continually on the rise.

ttm-1024

(LtoR) Tom McMillin, TierPoint President and COO, Former White House CIO Theresa Payton and Mary Meduski, TierPoint President and CFO, kick off the 2016 TierPoint Security Summit

Here are a few key takeaways from the presentation:

Assume Your Organization will be a Target
Payton said experience has taught her that “all security is defeatable, all data is hackable.”  She argued that modern security solutions are fundamentally broken and need to be reinvented, and that organizations should therefore assume that eventually their infrastructure will be attacked in some manner.

This assume-breach security approach allows you to make smart decisions quickly when an attack takes place because you will have already considered the risks of different scenarios along with their potential impacts. It also helps you determine where to invest your staffing activities and budget dollars.  Payton recommended prioritizing your company’s top two information assets and start by building a plan around them first.

Design with Users in Mind
By nature, people seek to avoid obstacles.  If a service is not giving them what they need, they find workarounds.  Payton recounted White House staffers who, before travelling, took screenshots or printouts of information housed on protected systems.  In response to their need for convenient access to information, the staffers introduced new security risks.

Payton’s advice? Make sure when designing applications to collaborate with the future users.  Periodically check in to ensure the application meets their needs, especially with databases and other tools that include a lot of information.

Security doesn’t start with a firewall or anti-virus. It starts with human psychology, user experience (UX) and assuring an application solves the right problem.

Test, Test and Test Again
Most schools and office buildings run periodic drills so that in the event of a fire, everyone knows what to do and where to go.  Payton stressed the importance of performing security infrastructure drills, noting that many decisions have to be made quickly during an attack.  Practice gives you time to think through decisions that otherwise may have to be made quickly.  If you receive a ransom note threatening to delete data on one of your servers, how do you respond? Practice allows you to get good advice and develop protocols and procedures in advance of an emergency.

This process is similar to what we do for TierPoint disaster recovery clients.  We can simulate a system failure to measure and better understand system recovery, in order to make recovery faster and more efficient.

Think like a Hacker
In addition to knowing your users well, Payton stressed the importance of knowing your enemies, or at least try thinking like one.  She advised being aggressive about protecting your systems such as deploying multi-factor authentication (MFA).  MFA makes it more difficult for a hacker to gain access to your network, including automated attacks, which often go for the easiest prey.

Payton advocates creating private protocols and domains with stringent rules about what can pass through.  A separate domain name that is different than your organization’s primary domain name can be harder to find and associate with you.

My final takeaway is the importance of building a security strategy as a collaborative, holistic endeavor.  Involve your users, business partners and others who access your network legitimately. Devising a security strategy requires reviewing other IT areas in your organization, including networking, disaster recovery, storage, and more.  It all has to fit together.

Developing a security strategy is hard.  Do not go it alone.  Find partners you trust to help you mitigate risks and protect the health of your organization.

Thanks Sponsors!
Thank you to our event sponsors Alert Logic, Cisco, Eckoh, Mimecast, Optiv, Radware, Schneider Electric, VMware, Windstream, and Zerto, and to contributors Continuum Security Solutions and WRK Systems.  Special thanks to our client panelists from American National Bank, Kiewit, Mutual of Omaha and NorthStar Financial Services.

matt-sander-2
Mike Sander, TierPoint Senior Solutions Engineer, has an extensive financial services background, along with experience serving organizations in a variety of industries, including health care. He is passionate about listening to client needs and working collaboratively to solve their IT infrastructure challenges.