Government Agencies Rely Too Heavily on Compliance
- Software is now running our world. If we don’t create and deploy secure software, we are creating massive attack surfaces for ourselves.
- Most government agencies are not driven by a need to achieve a certain security posture. Rather, they’re driven by mandates to be compliant with security standards.
“If you tell business people, ‘Hey, look at all these systems that have antivirus!’ Who cares? What does that even mean to me?”
When evaluating any organization’s security posture at a high level, Ed Adams collects information and metrics that answer three key questions:
• How well patched are your systems? “The reason I start with that one metric,” Adams says, “is because about 80 percent of all successful attacks take advantage of known security vulnerabilities.” By pursuing a rigorous patching policy that keeps software up-to-date and patched across all systems and devices, including mobile devices, you can exponentially reduce your attack profile and block 80 percent of potentially successful attacks right out of the gate. This metric is typically a combination of metrics that might break down across systems, such as percentage of all routers that are up-to-date, percentage of all Windows Server instances, percentage of all Linux servers, percentage of all iOS devices, and so on. “I would determine the patch and update status of all of the systems. It’s not a trivial task, but it’s an important one,” says Adams.