Can you actually "secure" anything from a bad actor who wants to crack your defenses? I used to think you could. I believed that leading practice in cyber arts would effectively make you.....secure.
I was wrong. A determined and skilled aggressor can crack your defenses and breach your standards. In fact, standards may make you less secure than you would be otherwise. Why? Hackers like soft, high-value targets. If you are dutifully complying with broad industry standards, odds are those standards have been breached. Further, given the relatively "frictionless" manner in which the tools and techniques of hackers are shared, your highly standardized architectures are likely to have been breached moments after they are published.
So, why do we spend BILLIONS on development of standards? Simply put, standards are easy and standards sell. Who hasn't come back from RSA or (insert favorite conference here) with a sheaf of business cards and brochures from the latest tool vendor or security solution seller? Each of those folks having been very quick to point-out their product's compliance with this standard or that standard. Your Board and leadership team is hammering on you for your plan to secure your enterprise. What do you do? Tell them you're gonna just head-out into the cyber-frontier alone, un-armed and un-afraid? LOL... No. You're going to say, "I've just seen the greatest security platform every invented! I'm going to install DeepBlackRainDog into our architecture and sleep well tonight, knowing that no one could ever penetrate my fortress of glitz and dazzle." It's usually about this point that a clerk from accounting clicks on some very attractive offer from a recently-deposed Nigerian Prince to help him deposit a "princely" sum of money and share it with him....BOOM! You're breached! And your security tool license fees just paid for another tech wunderkind's Tesla.
OK, so what are we as tech leaders to do? The truth is that we need some standards to start with. They reduce the integration challenge. They generally reduce some operating costs. And they provide the canvas onto which you will paint your security masterpiece. That masterpiece will include solid and traceable processes, deep security policies, strong defensive architectures, and repeated testing, tweaking, and transforming of your cyber ecosystem. Additionally, you will seek to understand who your actual threats are..... Insiders? Nation-state? Competitors?
Then let's get fancy.... Let's harness the power of the "security data cloud" you're creating and apply some rudimentary behavior predictive analytics. What are you doing with your security camera data? Card swipe? Email patterns? Geo-fencing key threats and assets? The list goes on and on.
You are a talented technology leader. You clearly recognize that you can't install a software package....or hundreds of them....and realize any meaningful increase in security. You see that a comprehensive and well-integrated security program of Physical Security, Human Intelligence, and Cyber Practices is necessary to make your enterprise a less attractive target than the next guy. And like the two guys hiking in the woods who come across the bear. You don't have to be faster than the bear....just faster than your buddy.
Be safe. Be afraid. And thrive amongst the bad guys. #agencygrade