Skip to main content
banner image
venafi logo

The Silver Bullet Fallacy: Why You Need to Spend More Time on Security Hygiene

The Silver Bullet Fallacy: Why You Need to Spend More Time on Security Hygiene

security hygiene
November 21, 2017 | Scott Barronton, Chief Information Security Officer, Finastra

With the steady drumbeat of ransomware stories in the news, you’d think security hygiene would also be front of mind for the media that caters to CISOs and their teams, but in truth there is limited commentary about this important subject.

Instead, there’s a growing perception that companies need new security technology to help them ‘fight ransomware’ but this isn’t always the case.

The ugly truth is that we are still seeing the same kinds of attacks today that we saw in the 90s. Attackers are still taking advantage of humans because they are the weakest link. Even with a rigorous security training program and technology controls designed to limit the damage, users are still prone to click on links when they shouldn’t.

So, what can you do? The logical thing is to fix the underlying weaknesses that are open to exploitation. This isn’t the sexy stuff... I’m talking about cleaning up your access management program, improving vulnerability and configuration management, and making sure your systems are patched. You know – all that basic, boring, old school stuff. This is what should form the foundation of your security program.

Every organization has security standards and policies that cover security basics; often we go to great lengths to get these policies written and approved. However, it’s pretty rare for companies to have these programs fully implemented – which doesn’t make a lot of sense. If you don’t implement, measure and improve the policies that cover all the security basics then they become nothing more than another piece of paper.

Implementing policies to drive measurable improvement for vulnerability management or IAM programs requires a good deal of work. You have to build a business process that focuses on how your organization manages, measures and self-reports on how well you’ve implemented these basic programs.

CISOs and security teams can sometimes neglect compliance and policy work because it is time consuming and not very visible. After all, you’re not going to get a lot of recognition for making sure that your cryptography environment actually enforces important standards such as key length and validity periods.

It’s far easier to start talking to a new security vendor who promises that, if you buy their stuff, the latest threat du jour won’t get in. That might be more interesting, but you’ll get better results if you take the hard line and say that you’re not going to chase any new technologies until the ones you already have are operating as effectively and efficiently as possible.

When someone in my organization suggests a new security tool, I always think about whether the perceived need for the new tool is because we aren’t practicing the fundamentals. Often, we can improve our hygiene enough that we don’t need the new stuff at all. For example, if you’re thinking about buying some new ransomware tools to protect your organization, it is always worthwhile spending some time looking more critically at your vulnerability management and patch programs as a first step. I think of security hygiene as a way to hold your security program up to a mirror. It’s similar to the way you look at yourself every morning to assess your personal hygiene – how well you’re doing with the security equivalent of combing your hair and cleaning your teeth. Ask yourself how effective you are at measuring yourself against your security threats. And while you’re at it, ask yourself if you and your team value the work that’s associated with security policy implementation. Does your team, or any of the teams you rely on, get recognition for doing this difficult work?

Granted, this approach requires discipline and focus, but it pays off. You’ll maximize the security investments you’ve already made. Because you’ll have a much better understanding of your real risk posture, you’ll also be able to respond more effectively to a wide range of security threats. And your security budget won’t grow as quickly, which is always good news for your executive team. I’d like to challenge all of my peers to make a serious commitment to operationalizing all of their carefully crafted security policies. You’ve invested the resources necessary to build and standardize them; now, instead of investing in a new ‘silver bullet’, spend your valuable resources fully implementing them. It won’t be easy, but it will be worth it.

Learn more about machine identity management. Explore now. 

Like this blog? We think you will love this.
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Barronton, Chief Information Security Officer, Finastra
Scott Barronton, Chief Information Security Officer, Finastra

Scott is the CISO at Traveler. An IT leader with over 20 years Information Security experience across a wide spectrum of Fortune 500s, he is recognized by his peers as having a balanced view between business needs and security standards.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more