Team we45
August 6, 2020

5 Mistakes to Avoid in Enterprise Security Management

A lot of organisations think of Enterprise Security Management like a bad roommate — can’t live with ‘em, can’t live without ‘em. We’ve worked with companies in a variety totally different industries over the years, and all of them have implemented ESM at some capacity.

But why do some companies do it better than others? What do they do that others don’t? If you find yourself asking these questions, this article is for you. And if you’re asking yourself "Why should my company even bother with this ESM stuff?” then this article’s definitely for you.

Here’s 5 of the biggest mistakes companies that fail at Enterprise Security Management make:

1. Looking at Security as an IT Function

The objective of Enterprise Security Management should be one thing and one thing only: protecting critical assets in the organisation. However, enterprise security is largely looked upon as an IT function.

In reality, security incidents and breaches largely hit the company’s operations. For instance, if a retail chain is hit with malware, the chances are that operations and business management takes an equal or bigger hit than IT.

A few years ago, a major software development company had its entire R&D operations catch on fire due to a short-circuit in the building. The fire spread quickly, burning everything in its path. Luckily, they didn't suffer any human casualties, but the same couldn’t be said of their operations.

They had no coordinated Business Continuity or Disaster Recovery Plan. One of their departments lost tons of source code as a result of poor planning. And what was worse, they had just missed payment on their Fire Insurance Policy and are looking at a massive financial loss.

A successful ESM function is one that cohesively binds enterprise management with security management. The best organisations we've seen bind these two concepts very seriously to deliver great results.

2. Putting Functionality First, Security Last

Every unsuccessful enterprise project we've come across has put functionality ahead of security. This is weird, because if functionality doesn't work, why does it have to be secure?

Here’s an example. Recently, a major bank in the country implemented an extensive Customer Relationship Management Application across all its operations. It was a huge implementation, spanning across over 100 locations with millions of dollars spent on the whole thing. This bank had us perform a Penetration Test as a final step before going live. They wanted a quick security validation before going into production and deploying the app. This was clearly an afterthought.

You can imagine how well that test went. We identified several issues with a 150-point action list. It was clear that if this app went into production, it would be compromised in no time. The issues went as deep as their very architecture, in the code and in deployment. The project had to be delayed by more than a year due to their lack of planning and poor execution.

When you try to secure a building’s foundation after it's already built, you’re going to have to tear it all down again.

The best organisations look at security, functionality, performance, etc. as part of the entire spec of the organisation’s projects and implementations. They leverage deep knowledge and empirical validation early on in the project lifecycle and achieve efficient results.

Read More: Sustainable Enterprise Security

3. Saying “We are not under attack”

This is a classic statement of many CIOs and CEOs when confronted with a security situation. They say “So far, we haven't suffered any breach, so when we do, we can do X or Y.”

Well, no one predicted the Great Depression of 1929, the economic crisis of 2008 or the Coronavirus pandemic. If people had that kind of foresight, we’d go out of business. Given our obvious limitation in predicting disaster, the next best thing to do is to prepare for them.

Enterprise Risk today is highly dynamic and constantly changing. ’Safety’ is merely a relative term and the goalposts can always change.

The critical questions you must ask yourself is, “Do we have critical assets in the organisation?” If the answer to that question is “Yes”, then you need to expect a data breach.

4. Not Implementing Security Automation

Security automation has to be one of the most important advances in ESM in the last few years. The thing about security is that once you start applying it everywhere, the sheer number of different processes you have to keep a track of becomes overwhelming. Low-effort but repetitive tasks can waste tons of time in the long run, leaving your operations hamstrung.

Organisations that started automating security tasks have noted a considerable improvement in efficiency as they cut out all the ‘burger-flipping’ tasks. When you look at the different departments and projects in your company, you need to ask yourself, “What processes am I seeing here that don’t actually need people to do it?” When you figure out the answer to that, you’re one step closer to maximising your ESM efficiency.

Learn how to make your AppSec efficient by organising vulnerabilities automatically.

5. Not Making Employees Part of the Security Process

Enterprise security shouldn't be about finding ways to work around your staff. Instead of trying to baby-proof your organisation, educate your employees on how to better uphold a general standard of security. You need to give them the necessary tools to help keep your organisation more secure by making them a part of the solution, not part of the problem.

When all your employees are more knowledgeable and aware of real-world security concerns, you can make them part of the security efforts and create team-building processes.