Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

What NOT to do for Information Security

‎02-26-2014 06:26 AM - edited ‎07-07-2015 09:49 AM


In the midst of 20,000 users at RSA conference, as I speak with customers, partners, and competitors, I am learning what NOT to do for information security more than what should be done. Here let me share some notes from my meetings on best practices for what NOT to do for information security:


Over-reliance on analysis

It is very critical to analyze and tag all the data in your organization. Whether the data is generated by humans or machines, we cannot have enough analytics done on the data. However, over-reliance on analysis of data is  not a great idea.


If you are looking for specific patterns or rules through analysis, these are the things that bad guys can quickly overcome . A situation wherein the opportunity cost of decision analysis exceeds the benefits is pretty much what happens in these cases. For instance, a large retailer once analyzed the cost of adding and extending physical security to avoid shop ifts and found that doing nothing was, financially, far more beneficial.


Over-provisioning of access

While managing the role-based access control mechanisms for security or regulations, most customers look at exhaustive and comprehensive list-of-use cases that each of the roles would or may perform and give access. However, it is a good practice to be conservative while giving access--it's easy to provide simple, viewable reports upon request. At the same time, it is not a good practice to lock everything down  and prohibit collaboration. There is a way to provide a safe collaboration platform.


Treating data as shared enterprise

Data is an important asset of a company. Data is dynamic and it keeps moving between people, systems and applications. It is definitely not a shared enterprise and treating it like one without having everyone commit to the new way to do things, may not be good idea. When you use tools such as or and arm users with more information, it is important to educate the users on what they are capable of and what they should be careful about.


Mobility and corporate data

Your users want all of the corporate data on their mobile device of choice, but they may not comply with all of the company policies. They may not install the MDM (mobile or app device management) for battery or privacy issues or they simply may not have good security practices, such as strong passwords or hard drive encryption. The data breach or loss due to stolen or lost mobile devices has become a common issue and most of it is attributed to empowering full corporate data on badly provisioned mobile devices.


Over-reliance on cloud service providers

Whose responsibility is security? Is it the cloud service providers? Vendors? Applications on top of these clouds? Or users? The answer: all of the above. Most users assume that it is somebody else’s responsibility and end up in a fire-fight. Whether it is a public, private, or hybrid cloud, taking simple measures (such as log management and security event management) can reduce the risk by up to 97 percent (as stated by Verizon’s database investigation report). The next time you are thinking about cloud, ensure that it supports REST APIs so that you can pull security events from the cloud and analyze them in security analytics tools.

0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all