Let’s face it, many organizations have their heads in the sand. In some cases this choice is a deliberate one; the temperature down there is cool and your face gets exfoliated. Skin care for the win! I cannot count the number of times I’ve heard security leaders say that they would rather be unaware of a risk than actually have to do something about it. This is the pinnacle of “ignorance is bliss.” They want the sand, they need moar sand! In other cases, security leaders want to make the right choices, but their heads are being forced down into the sand by their leadership.
Image source: https://commons.wikimedia.org/wiki/File:Bury_your_head_in_the_sand.jpg
In either example, keeping your head in the sand reduces visibility and hinders situational awareness. Situational awareness is a critical component of resilient security programs and making decisions without situational awareness is foolhardy. Unfortunately we have done a marvelous job of keeping our heads in the sand over the years. Take a quick journey back in time and look at these examples with me:
VMware released its ESX Server in 2002 and for years these servers sat in data centers quietly running their workloads. Many security organizations left these ESX boxes to their own devices, after all mission critical services weren’t running on them. Over time we learned that critical services were indeed running and needed to be accounted for security and compliance purposes. The PCI Security Standards Council finally released virtualization guidelines in June of 2011. It took us many years before we started to get situational awareness into our virtual environments. This is a journey that continues today and extends into the public cloud (see shadow IT.)
Bring Your Own Device
In June of 2007, Apple brought the first iPhone to market in what would become a significant disruption to the traditional end user computing model. The days of corporate owned Blackberry smartphones were numbered as personally owned phones, tablets, and laptops would take over the enterprise. It took several years for the mobile device management solutions to come online and many organizations still struggle with gaining visibility into the corporate data that resides on these personal devices.
You have no doubt heard people claim that their organization doesn’t have shadow IT, when in fact they most certainly do. First rule of Shadow IT club is don’t talk about Shadow IT? How confident are you that your lines of business haven’t gone out and procured IaaS, PaaS, or SaaS? How confident are you that employees aren’t using services like Dropbox or Box? The lack of situational awareness into shadow IT is a huge problem.
Do you see a trend here? We are quite effective at being behind the curve, and our lack of visibility impedes decision-making resulting in choices based on incomplete data. It is time to get off this hamster wheel by increasing our visibility. Improving internal and external situational awareness will help us better understand risks and is foundational for building a resilient security program.