In the security community, the importance of processes and practices such as vulnerability management, regular penetration testing, and adhering to PCI DSS are widely acknowledged. The real challenge comes when trying to communicate the importance of these security practices to IT users. Recent breaches have demonstrated that what may appear to be a “simple” human error can turn out to be just as dangerous as a complex, sophisticated attack. In an informal survey of @CORESecurity’s Twitter followers, respondents echoed the sentiment that common sense and basic precautions still need to be the foundation for security best practices, and that change management and a company’s “security culture” are critical as well. Participants in our survey responded to three questions:
- What security issue worries you most?
- If budget were not an obstacle, what area of security would you invest in most heavily?
- What do you consider the greatest weakness in infrastructure security?
Throughout all the responses similar words and phrases continually surfaced: “Security culture,” “education,” “identification” and “passwords.” Not surprising. In today’s security landscape, fundamental training and a basic understanding of the threat environment are necessary for all connected businesses to meet minimum security standards. The likely culprits of cloud, malware, internal threats and patching were also cited as concerns.
Some respondents highlighted counterproductive teams and employees ignoring password and patching best practices as major security red flags for their organizations. And the continued references to education and training highlighted the importance of communication for security teams and how far we still have left to go on that front. Finally, there was a another theme that, along with a lack of basic training on password management and other fundamental security issues, the lack of effective “change management” poses the greatest threat to a company’s security posture.
Respondents also indicated that since remote access is a business reality, perimeter defenses alone are ineffective, and suggested that security budgets should be spent addressing endpoint protection and control.
The results of our informal survey from the @CORE Security community indicate that a lack of communication and common sense are the biggest concerns when it comes to security. A big takeaway from all this: In order to shore up company vulnerabilities and security posture, users need to follow fundamental processes and basic practices and create a better “security culture.”
Check out a sampling of our informal survey responses below. Thanks to all who participated!