July 16, 2012, 4:25 PM — A core dilemma for IT today is how to properly protect the organizations' information systems and assets given security tools often seem like a black hole sucking down both time and money. But a strong defense doesn't have to be expensive, and a good place to start is assessing what information is publicly available and figuring out how to safeguard it from attack.
It's easy to get caught up in the hype around who might be attacking organizations and why, which leads to misconceptions about the requirements and costs associated with effective security. Companies need to approach security more fundamentally and strategically. They should also be looking at it from the attacker's viewpoint, trying to identify what there is to steal and how to go about it. Those answers should be the guide for an organization's defense system planning.
During a panel discussion at the ISSA Los Angeles (ISSALA) Security Summit in May, BeyondTrust CTO Marc Maiffret gave a good example of how media and vendor messaging both fuel and respond to trends and public interest in security, and in turn, can influence how organizations view risk and evaluate their security needs.
As Maiffret noted, distributed denial-of-service (DDoS) attacks get the media's immediate and focused attention because the events are visible to the public. The world takes notice when a prominent hosting provider, financial institution, or social network service goes offline due to a DDoS attack. The event is easy to spot, the result of the downtime is often newsworthy, and the human nature aspects of the event appeal to the masses.
As public and media attention get soaked up by the who and the why of the equation, vendors capitalize on the hype by tapping into the consumer fear factor and by shaping their product messaging around what's hot in the news. Such marketing tactics draw in even more media and public attention, and so the hype cycle continues, building and building like a snowball. All this noise scares organizations into investing to fight off the bad guys.
But what good to an organization is any security program -- expensive or not -- if the organization doesn't even know what it needs to protect or how vulnerable to attack they are to begin with?