New Year’s Resolutions – RSA Conference Edition
Robert McMillon at RSA, blogs that he wrote about how the approaches taken with security today aren’t effective at protecting organizations from skilled and dedicated attackers. With that in mind, he posts some New Year’s Resolutions that he thinks the industry should follow:
1. Get rid of our assumptions – Whether you are at the conference or not, let’s get rid of our pre-conceived notions about what is needed or not in security. Approach all of our security issues with an open mind, as opposed to going automatically down the well-worn path created by our assumptions.
2. Remember that no solution is perfect – There is no such thing as a perfect anything. Even the things that are very, very good at what they do have a weakness that can be exploited. That’s why good security is built in layers, where the weakness of one layer is protected by the strength of another. That leads to my next resolution,
3. Try to think like an attacker – When we look at the new announcements that are sure to happen next week, think about things from the attacker’s point of view and try to imagine how it could be exploited. Because the more exploits we can come up with, the better we will be at creating those layers.
4. Don’t only pay attention to the established players – There will be a lot of great ideas coming from non-traditional players, and we do ourselves a disservice by just flocking to the industry giants. As security continues to be mainstreamed, security ideas will come more and more from new directions. And finally,
5. Let security lead to compliance, not the other way around – Even though PCI did just issue their new guidelines, it is just an iteration. There isn’t a new regulation or mandate that everyone is scrambling to solve. Let’s take advantage of the relative lull to evaluate our security posture and the compromises we might have made in an effort to “get compliant”. We need to get back to recognizing that good security is the right end-goal; and it will naturally lead to both an improved risk posture and compliance with external mandates and guidelines.
