What is the most thankless task in technology today?
If you answered “the help desk,” you’d be wrong. The help desk responds to users in need and fixes their problems. It provides visible help that the business can understand. Likewise, application development builds new features for business users. These departments get praise for delivering immediate value. Other functions, such as maintenance, don’t have that quick payoff.
IT security maintenance has become the most thankless IT responsibility in 2019. Why is that? What happens when security maintenance is done well? End users see nothing. Executives hear nothing. It’s the classic out of sight, out of mind situation. In the short term, you might not even notice that your IT security upkeep is falling behind.
Signs Your Cybersecurity Maintenance Is Falling Dangerously Behind
As you review these signs, ask yourself how a knowledgeable business rival would rate you on each sign. If you’re unsure whether you have a particular problem, avoid giving yourself the benefit of the doubt. Now, look at the first sign: relying upon business end users.
1. You rely upon end users to report security gaps
Some companies have embraced the principle that everyone is responsible for cybersecurity. There’s just one problem with that: your end users have limited time and attention for security matters. They’re only going to be helpful in spotting the most obvious security problems.
For example, business users can be trained to spot and avoid phishing attacks. You may even train them to avoid password reuse disease. Deeper issues of security design, monitoring and oversight will be ignored if you mainly rely on end users for your security program.
2. You use manual IT security maintenance tracking
Are you still using a spreadsheet for security tracking? That’s not going to cut it anymore, because maintenance activities work best when they’re executed consistently. When you rely upon a spreadsheet to track your work, it’s easy to fall behind. It starts small with missing a monthly access management review. Before you know it, it’s been nearly a year since your managers have eliminated inactive users from your systems.
Manual tracking also makes it difficult to provide evidence of review. In the mind of a typical auditor, no evidence means nothing was done. That leads into the next sign of weak IT security maintenance.
3. You have internal audit findings for cybersecurity
Love them or loathe them, internal audit has an important role to play at your organization. Without their independent perspective, it’ll be too easy to miss problems. In our experience, auditors are excellent at finding a few types of problems related to IT security. They’ll point out problems at the policy and oversight level. Internal auditors are also skilled at identifying departures from best practices.
When internal audit detects IT security problems, weak maintenance is involved. You can have the best policies and procedures in the world. However, if those practices aren’t maintained, you’ll become more vulnerable. Proactive IT security maintenance will also help managers identify problems before auditors appear. That means you can fix issues yourself rather than being called out in an audit report.
4. You struggle to answer routine security questions from senior management
Think back to the last time your company suffered a significant security incident. There was a mad scramble to get answers. You asked your security specialists to work late. If the problem is particularly terrible, you might be called to present in front of the Board or the executive committee.
At this stage, you’ll start to face painful questions like these:
- What’s the root cause of this breakdown?
- What early warning process did we have to detect this problem?
- Do you have the right tools to detect and prevent security incidents?
- Were managers doing everything they could to prevent these problems?
- What KPIs were you tracking for security?
These questions are just the tip of the iceberg when it comes to cybersecurity. If you have a strong story to tell about cybersecurity, including security maintenance, you’ll emerge from the crisis unscathed.
5. You’re constantly putting out security fires
You might not face an embarrassing hacking incident every month. However, you may still be stuck in firefighting mode. For example, your marketing department wants to implement new automation tools, but you have no established process to evaluate new software. Therefore, you have to disrupt your staff and ask them to evaluate the project.
This reactive work methodology means you never have time for maintenance. That neglect adds up over time, and if you’re not careful, you might even lose customers.
6. Your company starts to lose deals with demanding customers
If you sell software or cloud services to banks and Fortune 500 customers, poor IT security maintenance will kill your deals. Enterprise buyers have invested heavily in their brands; they can’t afford to lose respect by doing business with a poorly managed vendor. Your company is likely to fail the due diligence process that large companies use with every purchase.
Avoid the Seductive Solution to Poor Maintenance
Hire more staff! That’s the solution you might have in mind to fix poor IT security maintenance. It’s the seductive solution because managers know how to hire. Besides, it’s satisfying to build up your department’s workforce. So, what’s wrong with this approach?
You’re unlikely to get support to hire more staff if you’re perceived as a poorly managed department. Executives will question whether you’re making the most of your current staff. They may also question if you’re fully leveraging automation in IT security. Instead of asking for more salary dollars, take a different approach.
Start your research to identify a few cybersecurity software solutions. It’s best to start with a password management solution such as Password Management, since you can obtain some easy wins there. For example, you can consistently enforce strong password requirements. Even better, you can finally bring multi-factor authentication into your organization.