6 ways security pros unwittingly compromise enterprise security

That executives bypass security controls due to a lack of engagement between security and business decision makers seems logical, but the C-suite folks are not the only ones guilty of self-defeating behavior that creates more risk. 

Security professionals also do things that unwittingly introduce risks and compromise enterprise security. Here’s a look at six self-defeating behaviors you should avoid: 

1. Downloading tools that introduce risk

There are some security decision makers who—even though they are trying to do the right thing—take liberties to make their days easier. Perhaps they are afraid of their executives who want bypasses to do their work. Maybe it’s that they themselves want a certain tool. Either way, they download tools and introduce risk.

2. Defaulting to ‘trusting their guts’

Bay Dynamics co-founder and CTO Ryan Stolte said half of the security alerts coming in are issues that security professionals think they have seen before. So, they default to what they know, do what they’ve done before, and move on the the next alert.

They recategorized, and that’s sort of sweeping it under the rug, Stolte said. People aren’t meaningfully saying I’ve been breached and I want to hide it, but they sweep a lot of stuff under the rug.

3. Cutting corners and misconfiguring technology because they’re focused on deployment

Even when security practitioners decide to leverage technology, they end up cutting corners when they focus on deployment but misconfigure the technology. 

Lucas Moody, vice president and CISO at Palo Alto Networks, said, “Security professionals focus on the outcomes that the technology promises. The tough part is behind the technology. The work is once the technology is in place, but they are not carrying it through in the configuration.”

It’s self-defeating to deploy technology that requires downstream security operations work without focusing on configuration. Instead, security professionals react to something. A tool is deployed that will help them find malware, but they don’t put in the processes behind that to go and find the malware, Moody said.

4. Patching reactively

As is evidenced in the expansion and prevalence of ransomware, a lot of organizations are patching reactively.

“It’s relatively easy to quickly roll out patches, but we are doing it after things are felt instead of putting in a process to proactively deploy patches,” Moody said.

To be fair, patching isn’t always easy for every organization. Security practitioners need to consider whether a patch will disrupt the workforce or complicate end user interaction.

Because security professionals don’t want to introduce the friction that comes with patching, they decide to put it off until next week or two months from now. That is not explicitly cutting corners as much as it is a fact of having 10 things they are focused on, Moody said.

5. Investing in detection vs. prevention

Where and how to invest can also be self-defeating decisions. Investment in detection vs. prevention has caused problems, said Moody. Whether it’s that the tool wasn’t robust enough to do prevention work or that it was the old-school way of thinking, security professionals invested in detection, focusing on the alarms instead of the prevention.

6. Paying ransoms

Another bad investment decision is choosing to pay ransoms when hackers hit them with ransomware. If you back up your systems, you can avoid this.

Paying ransoms is “a ridiculous way to deal and puts incentives in the wrong hands. Most large organizations have the means and the appetite to invest in backup systems,” Moody said.