Overwhelmed and eager to please, security professionals can sometimes cut corners—or worse—unknowingly shooting themselves in the foot Credit: Thinkstock That executives bypass security controls due to a lack of engagement between security and business decision makers seems logical, but the C-suite folks are not the only ones guilty of self-defeating behavior that creates more risk. Security professionals also do things that unwittingly introduce risks and compromise enterprise security. Here’s a look at six self-defeating behaviors you should avoid: 1. Downloading tools that introduce riskThere are some security decision makers who—even though they are trying to do the right thing—take liberties to make their days easier. Perhaps they are afraid of their executives who want bypasses to do their work. Maybe it’s that they themselves want a certain tool. Either way, they download tools and introduce risk. 2. Defaulting to ‘trusting their guts’Bay Dynamics co-founder and CTO Ryan Stolte said half of the security alerts coming in are issues that security professionals think they have seen before. So, they default to what they know, do what they’ve done before, and move on the the next alert. They recategorized, and that’s sort of sweeping it under the rug, Stolte said. People aren’t meaningfully saying I’ve been breached and I want to hide it, but they sweep a lot of stuff under the rug.3. Cutting corners and misconfiguring technology because they’re focused on deploymentEven when security practitioners decide to leverage technology, they end up cutting corners when they focus on deployment but misconfigure the technology. Lucas Moody, vice president and CISO at Palo Alto Networks, said, “Security professionals focus on the outcomes that the technology promises. The tough part is behind the technology. The work is once the technology is in place, but they are not carrying it through in the configuration.”It’s self-defeating to deploy technology that requires downstream security operations work without focusing on configuration. Instead, security professionals react to something. A tool is deployed that will help them find malware, but they don’t put in the processes behind that to go and find the malware, Moody said. 4. Patching reactivelyAs is evidenced in the expansion and prevalence of ransomware, a lot of organizations are patching reactively. “It’s relatively easy to quickly roll out patches, but we are doing it after things are felt instead of putting in a process to proactively deploy patches,” Moody said.To be fair, patching isn’t always easy for every organization. Security practitioners need to consider whether a patch will disrupt the workforce or complicate end user interaction.Because security professionals don’t want to introduce the friction that comes with patching, they decide to put it off until next week or two months from now. That is not explicitly cutting corners as much as it is a fact of having 10 things they are focused on, Moody said. 5. Investing in detection vs. preventionWhere and how to invest can also be self-defeating decisions. Investment in detection vs. prevention has caused problems, said Moody. Whether it’s that the tool wasn’t robust enough to do prevention work or that it was the old-school way of thinking, security professionals invested in detection, focusing on the alarms instead of the prevention.6. Paying ransomsAnother bad investment decision is choosing to pay ransoms when hackers hit them with ransomware. If you back up your systems, you can avoid this.Paying ransoms is “a ridiculous way to deal and puts incentives in the wrong hands. Most large organizations have the means and the appetite to invest in backup systems,” Moody said. Related content news analysis Searching for unicorns: Managing expectations to find cybersecurity talent Finding the cybersecurity leaders of tomorrow means being realistic about job descriptions and providing training and mentoring for non-traditional tech people. By Kacy Zurkus Sep 29, 2017 4 mins IT Skills Careers IT Leadership feature Vulnerability vs. risk: Knowing the difference improves security Conflating security terms evokes fear but doesn't help security newbs understand the difference between vulnerabilities and actual risks. By Kacy Zurkus Sep 26, 2017 3 mins Risk Management Vulnerabilities IT Leadership opinion What the Equifax breach means to me — an end user perspective Recovery and resiliency or apathy. Which will prevail now that most everyone's PII has been exposed in another massive breach? By Kacy Zurkus Sep 15, 2017 4 mins Cyberattacks DLP Software Internet Security opinion Abandoned mobile apps, domain names raise information security risks When app creators abandon domains for bigger, better deals, what happens to all the app-specific data? By Kacy Zurkus Sep 08, 2017 3 mins Access Control Data and Information Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe