They’re a common sight on our neighborhood streets: bicyclists in colorful wear, heads protected by reinforced helmets. It’s the smart way to ride, since bicycle lanes can’t always safeguard riders from distracted drivers. Yet just the other day I saw a bicyclist who was wearing a bike helmet but did not bother to buckle it – a lack of proper implementation of a great security device that basically reduced his expensive helmet to a decorative object. If the rider went flying over the handlebars, the helmet would fly off his head in the opposite direction.

As a career security professional, I could not help translating what I saw into what I have observed in cyber security today. The cyclist’s unbuckled helmet is a metaphor for the “false sense of protection” network security teams get when they throw a technology solution at their problems, but don’t “strap it on.” Companies buy technology but fail to implement the processes and people needed to leverage it in their environment and effectively use it. They believe the technology alone keeps them safe – and they couldn’t be more wrong.

As this news report highlights, this retail company made all the right moves, installing a sophisticated malware detection tool that detected threat actor activity. They hired a team of security specialists to monitor it. Yet when hackers installed malware that captured shoppers’ credit card data, what should have been a routine incident response turned into a massive breach due to an apparent breakdown in the escalation process to make someone take an action and respond.

Why? The initial activity was observed and the alert was escalated. However the security team failed to act on the information, allowing the hackers to progress through and continued their spree. There was a breakdown in process and collaboration amongst the personnel chartered to protect the company’s operations.

When we remind customers that real security means “people, processes and technology,” this is what we are talking about. Technology is not the answer in and of itself. It’s merely a tool that must be leveraged by the right staff and the right processes or it won’t be able to do its job. The most expensive system in the world can’t protect an organization that isn’t conducting proper security operations.

Sounds logical enough, right? But here’s the problem: organizations often go technology shopping before they understand their threats and their vulnerabilities. Without doing that crucial homework, they don’t know where they’re most likely to be attacked, how to stop attacks or what the impact of the breach would be. Often they don’t even know what it is they’re defending. Instead they blindly buy security tools that promise to protect them without understanding if that specific technology aligns with their needs.

Let’s quickly review the basic tenets of security operations. Note how this guidance requires a combination of people, process, and technology. These cannot be achieved with just one or two of these elements.

    • You must protect and harden your environment against attack. Shrinking your attack surface by limiting your scope and reducing your vulnerabilities will do the lion’s share of warding off attacks.
    • Early detection is critical. From anti-malware tools to log reviews, you must identify malicious actor activity early in the kill chain to limit your breach exposure.
    • The speed of your response can make the difference between an inconvenient breach and an epic disaster. Have a firm incident response plan in place so you can spring into action and stonewall your attackers before they exfiltrate your critical data.

Remember, security is a zero sum game. You can’t be partially secure; one gap is all an attacker needs to get inside and begin destroying your business, your reputation and, often, your customers. The good news is that you can make a huge difference by strapping on your helmet. It’s one of the things that drew me to Armor – the company doesn’t do things halfway. We differentiate ourselves by building security into everything that we do – not bolting it on. And, we practice what we preach – we strap on our helmets by employing the right technology, people and processes to build a wall of protection around our cloud – and your sensitive data. We work every day to create a secure cloud so you can enjoy the ride.