In the fast-paced world of information security, where new threats often emerge faster than the security industry can keep up, IT security experts have their work cut out for them. Just one mistake can lead to a data breach, and just one data breach can lead to disaster. Here are three mistakes IT security experts should avoid in 2015 and beyond.
1. Underestimating the dangers
If your customers are small, medium, or niche businesses, it can be easy to underestimate the information security dangers they face. News coverage of corporate data breaches typically focuses on large, well-known multinational corporations, encouraging a false sense of security among SME IT decision-makers and IT security experts. But smaller businesses are at risk, too. And the stakes are often higher for SMEs, since they typically lack the large financial safety net or broad customer base with which Fortune 500 corporations ride out negative publicity. An IT security expert who underestimates SMEs' data breach risks can put those SMEs in serious danger. Understand what sensitive or high-value data your SME customers handle and clearly communicate why even they must invest in keeping that data safe.
2. Relying too exclusively on technology
Technology will always be one of the IT security expert's main tools, but it cannot be the IT security expert's only tool. Over-reliance on technology is a major mistake. The information security industry is essentially reactive: Hackers are constantly uncovering vulnerabilities and developing and deploying exploits while information security firms play catch-up, still patching discovered vulnerabilities and identifying existing threats while hackers move on to the next assault. In addition, today's sophisticated phishing scams and individually targeted attacks make people the biggest vulnerability in an IT environment. An IT security expert who fails to recommend user education and active network and systems activity monitoring greatly increases his customer's risk of a data breach. IT security experts must be aware not only of how technology can make customers safer, but also of how it can't.
3. Insisting on handling everything in-house
The modern enterprise IT environment is vast and complex. Mobility, BYOD, cloud, and Big Data initiatives have all greatly expanded the amount and variety of IT assets in use in the enterprise. This significantly increases the number of systems enterprises must protect and the number of potential vulnerabilities and attack vectors for cybercriminals to exploit. Ideally, enterprise IT and security teams (and budgets) will expand to meet the new needs, but in the real world, they often don't—or even contract at the precise moment when expansion is most desirable. Enterprises and their IT security experts invite disaster by choosing to handle all security operations in-house when in-house IT departments lack the required manpower or expertise. As an IT security expert, you should be able to recognize when an organization would benefit from outsourcing and have appropriate recommendations at the ready.
All of these mistakes are tied together by one common thread: the failure to save a customer from itself. IT decision-makers can be prone to underestimating their own risk, becoming too reliant on technology, and insistent on handling security operations in-house. As your customers' trusted IT security expert, it's up to you to stop your customers from digging their own graves. Do so by clearly communicating the risks and providing the most appropriate solutions.
Can you think of some other mistakes IT security experts should avoid at all costs? Share in the comments below.