In last week’s post, I wrote about how cyber security awareness month (or European Cyber Security Month if you’re in the EU) is an ideal opportunity to promote or restart initiatives that promote better security culture throughout an organisation.
Thinking further, it seems to me this is as good a moment as any for CSOs and security leaders to take stock of their own approach to security. Human nature being what it is, we often find ourselves stuck in a certain behaviour “because that’s the way it’s always been done”, when in fact that could be past its best-by date or suitability for purpose.
It’s been clear that a huge shift is happening between old and new security. Old security equals perimeter controls, firewalls, and antivirus. It protects physical things: devices, boxes, call them what you want.
I’ve had conversations with clients who tell me they’re secure, and they just need to confirm they’re compliant. But a closer look tells us that while they might be compliant, they’re not necessarily secure. Antivirus is a classic case in point: having it on your endpoints will guarantee a tick in the box from a regulatory compliance or governance perspective, but is it really effective? Is it keeping the bad guys out? As the old saying goes, if all you have is a hammer, every problem starts to look like a nail.
New security puts protecting data front and centre, regardless of what devices or systems it lives on. New security acknowledges that the landscape is changing. Criminals are constantly adjusting their tactics, so it follows that a completely rigid, inflexible security model is no good against an attacker that’s capable of adapting.
Security awareness month is the chance to change perspective, and maybe even to indulge in some open thinking about your security infrastructure and what it will look like in the future.
Is it time to – take a deep breath – switch off your antivirus systems? What do you think would happen if you did? Some people argue that the steady increase in cyberattacks and data breaches proves that AV has been overtaken and it’s wasted spend.
For the record, I’m not necessarily saying I agree. There are plenty of security threats that AV was never designed to address, but I think it still has a place – albeit a far less central one – in the fight against cybercriminals. It’s not that everything you’ve done up to now is wrong, but it’s a valuable exercise to revaluate your cybersecurity posture and ask some tough questions about every facet of protection you use.
I’d be interested to hear your views: would you dare to switch off your organisation’s AV? Will the security tools you use today safeguard your company’s data?