Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

What NOT to do for Information Security

Sri_Karnam ‎02-26-2014 06:26 AM - edited ‎07-07-2015 09:49 AM


In the midst of 20,000 users at RSA conference, as I speak with customers, partners, and competitors, I am learning what NOT to do for information security more than what should be done. Here let me share some notes from my meetings on best practices for what NOT to do for information security:


Over-reliance on analysis

It is very critical to analyze and tag all the data in your organization. Whether the data is generated by humans or machines, we cannot have enough analytics done on the data. However, over-reliance on analysis of data is  not a great idea.


If you are looking for specific patterns or rules through analysis, these are the things that bad guys can quickly overcome . A situation wherein the opportunity cost of decision analysis exceeds the benefits is pretty much what happens in these cases. For instance, a large retailer once analyzed the cost of adding and extending physical security to avoid shop ifts and found that doing nothing was, financially, far more beneficial.


Over-provisioning of access

While managing the role-based access control mechanisms for security or regulations, most customers look at exhaustive and comprehensive list-of-use cases that each of the roles would or may perform and give access. However, it is a good practice to be conservative while giving access--it's easy to provide simple, viewable reports upon request. At the same time, it is not a good practice to lock everything down  and prohibit collaboration. There is a way to provide a safe collaboration platform.


Treating data as shared enterprise

Data is an important asset of a company. Data is dynamic and it keeps moving between people, systems and applications. It is definitely not a shared enterprise and treating it like one without having everyone commit to the new way to do things, may not be good idea. When you use tools such as or and arm users with more information, it is important to educate the users on what they are capable of and what they should be careful about.


Mobility and corporate data

Your users want all of the corporate data on their mobile device of choice, but they may not comply with all of the company policies. They may not install the MDM (mobile or app device management) for battery or privacy issues or they simply may not have good security practices, such as strong passwords or hard drive encryption. The data breach or loss due to stolen or lost mobile devices has become a common issue and most of it is attributed to empowering full corporate data on badly provisioned mobile devices.


Over-reliance on cloud service providers

Whose responsibility is security? Is it the cloud service providers? Vendors? Applications on top of these clouds? Or users? The answer: all of the above. Most users assume that it is somebody else’s responsibility and end up in a fire-fight. Whether it is a public, private, or hybrid cloud, taking simple measures (such as log management and security event management) can reduce the risk by up to 97 percent (as stated by Verizon’s database investigation report). The next time you are thinking about cloud, ensure that it supports REST APIs so that you can pull security events from the cloud and analyze them in security analytics tools.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all