In my last blog (which you can read here), I discussed the hacking of Casino Rama and how this may have been caused by something called the Ostrich Effect. To review, the Ostrich Effect occurs when an organization knows they have a security risk but is unable to remediate the threat, often due to the cost and effort required for remediation.
Due to the sensitivity, complexity, and business impact of many security problems, fixing them requires a significant amount of effort and buy in from all levels of your organization. Let’s look at seven sequential, but important things you can do to avoid the Ostrich Effect:
1. Obtain sponsorship from the top of your organization. This would include involving your Board of Directors, CEO, and representatives from various departments (marketing, HR, etc.) throughout your organization. Every department and line of business is a vital part of the solution as they are all key stakeholders, and by involving them from the start, you’ll have a greater chance of success.
2. Develop and Deploy a coordinated organizational change program. This is a scientific, structured methodology that is designed to break down resistance to change and barriers within your organization.
3. When the barriers have been broken down and everyone is working in sync, you need to analyze and understand where the gaps are in your people (e.g. Are the right people in the right roles?) and processes (you need to redesign your processes to cross the silos and remove all gaps).
4. Develop a roadmap for solving the problem, because you need to have a plan. It sounds straightforward but without a plan, priorities change and you will struggle to move things forward. You have to have a roadmap and you have to have support (see step #1) from your leadership team to make change happen.
Another important point is that you don’t need to solve everything at once, incremental improvements are just as important. While it is critical that you eventually plug all holes (because even one can lead to catastrophe), it’s important that you build a solid foundation first. Another advantage is that a plan gives you something to share with regulators if needed; If you have a structured plan in place most regulators will often ease off on the pressure and give you the time to implement changes based on priorities.
You have likely noticed that these first four steps are mainly centered around organizational and business process change. Once they have been completed, you are ready to implement the two key technical aspects to the solution, integration and automation. The good news is your organization likely already has most of the tools you need to do this, they just need to be integrated together so you can orchestrate a new process that utilizes them in the right way.
5. Connect your security and IT teams. Use a collaboration tool like BMC’s BladeLogic Threat Director or Flexera for the correlation, prioritization, and remediation planning.
6. Automate the remediation and testing and then close the loop with verification. This requires a tool with a sophisticated set of capabilities as custom scripts will no longer cut the mustard. Vendors such as BMC and Flexera offer industry leading capabilities in patch and configuration remediation automation.
7. Gather the chain of information from these tools into one data repository that can be analyzed and formatted to satisfy both your internal audit and regulatory compliance requirements. You will need to demonstrate the complete life-cycle of your security incidents and vulnerabilities from detection to remediation and verification.
As I’m sure you can tell, even with a robust security team behind you, the sheer amount of work required to shield your organization from or close off existing vulnerabilities is staggering and extremely resource intensive. Online has decades of security and service management experience and may just be the partner you need to help steer your organization in the right direction.