With the recent headline-grabbing security breaches experienced by Target, Home Depot and JPMorgan Chase, you would think that organizations’ boards of directors be actively involved in setting cloud security policies. Think again. According to Price Waterhouse Cooper’s latest Global State of Information Security Survey, fewer than half (46%) of survey respondents said that their board of directors actively participates in their organization’s overall security strategy. Thirty-six percent say that their board is involved in security policy. So how do you get your board involved in cloud security and ensure they support the investments needed for security? In our recent webinar, How to Spend Your Cloud Security Dollar, HOSTING product manager Tricia Pattee lists five cloud security mistakes that impact budgets, so you can begin the conversation.
5 cloud security mistakes that impact your budget
Cloud security mistake # 1 – “We have to achieve 100% security.”
This isn’t a realistic or feasible goal for a couple of reasons:
- Cyber criminals are well-funded, well-organized and well-versed in the latest cyber threats.
- Cyber threats are becoming more sophisticated and can’t always be addressed by an organization’s current resources.
Organizations that focus solely on prevention are only addressing part of their cloud security. Threat detection and response are equally as important. As Tricia emphasized in her webinar, “The faster you can detect an incident and respond appropriately, the better off your environment will be.”
Cloud security mistake #2 – “Our weapons have to be better than those of our hackers.”
According to Tricia, “Your security policy should be primarily be determined by your goals, not the goals of your hackers.” Don’t get caught up in an unwinnable race. While it’s important to keep up-to-date on the intentions and methods of cyber criminals, it’s critical to adopt a flexible, proactive and strategic approach to security.
Bottom line – you don’t need a better weapon. You need an appropriate combination of tools and policies that alert you as quickly as possible to cyber threats. Effective policies and strategies should be based on continuous learning so that organizations understand how threats evolve and how to anticipate them. This means analyzing external and internal threat patterns to determine where to invest your cloud security budget.
Cloud security mistake #3 – “Investing in best-of-class technical tools will keep us safe.”
“Effective security is less dependent on technology than you think,” Tricia states. “The human factor is the weakest link in relation to security.”
Having a strong team of cloud security professionals (either in-house or through your cloud service provider) is most important. As Tricia notes, “You can take three mediocre tools and combine them with the excellent support and procedures and have better security than you would by investing in top of the line technology.”
Weight your organization’s security risk against the tools you already have to ensure you have the right combination in place.
Cloud security mistake #4 – “We are secure because we are compliant.”
This is a common misconception that organizations have when evaluating their security and compliance. As Tricia notes, “Meeting compliance doesn’t make you secure; it just helps you meet a regulation.”
You can check the box to meet HIPAA, PCI or other compliance mandates and pass an audit, but it doesn’t mean that you are able to prevent a breach. Tricia likens it to riding a motorcycle. While wearing a helmet is following the law, it won’t necessarily protect you from getting hurt in the event of a crash.
Cloud security mistake #5 – “Defending ourselves requires recruiting the best professionals.”
Unless you have access to unlimited funds, hiring the best security professionals in the business may be unrealistic. Cyber security experts are in high demand and command top salaries (think six figures) which is out of reach for many companies. Engaging a managed cloud service provider with a dedicated security team such as HOSTING can be a better and more affordable option.
Keep in mind that whether you have a team in-house or through a provider, security is not a department. It’s an attitude and culture that should be prevalent throughout an organization with full support from executive and board leadership. For example, security should be part of your organization’s HR policy where all employees (including executives) are educated and trained on the actions they can take to contribute to an organization’s security posture.
Led by our own Chief Information Security Officer (CISO), the HOSTING team of certified information security experts helps organizations assess their security postures and develop custom security plans to defend against cyber threats and attacks. Contact us anytime to schedule a cloud security evaluation. And check out our on-demand webinar, How to Spend Your Cloud Security Dollar, for expert tips on developing a solid cloud security budget.