Network security comes up in a lot of my client interactions, as there is a ton of overlap between networking technology (data center, wan, campus networks) and network security (firewalls, SWG, NAC, IPS etc.).
Sometimes, networking and security teams are very well-aligned, but often times – not so much. This got Jeremy D’Hoinne (Gartner colleague who covers Network Security) and myself thinking, and we decided to publish research on the 12 most common “worst practices” in network security. These dirty dozen include:
- Shiny new object syndrome
- Culture of no
- Insufficient focus on users and business requirements
- Defense with inadequate depth
- Organizational misalignment
- Suboptimal branch architecture
- Security blind spots
- Uncoordinated policy management
- Noncompetitive vendor selections
- Hazardous network segmentation
- Inadequate end user education
- Inadequate security event management
For each “worst practice”, we provide a definition and real-world examples, identify their impact, and provide specific guidance to avoid them. Here’s an example (a snippet from the research), which is one of my personal favorites:
Shiny New Object Syndrome (AKA “best of too many breeds” and “technology of the year”)
As technologists, IT personnel are encouraged to look for technical solutions to problems. This mentality is further encouraged by vendor hype and marketecture, with many vendors claiming “this is the last tool you’ll ever need,” or “this is the year of X.” However, in many instances, new technology products or services are not the ideal solution.
Instead, changes to policy/process, leveraging an existing technology and/or simply waiting will achieve a similar impact. In many instances, avoiding acquiring new products can simplify the technical environment and reduce operating expenditure/capital expenditure (OpEX/CapEX).
Action: Gartner recommends that CISOs foster an organizational culture that addresses the following questions before introducing any new technology:
- Can the root issue be addressed via a policy or process change?
- If we wait a year, will this become a commoditized capability from established providers (or my existing providers)?
- Do we have existing network, security, or management capabilities that can address the bulk (i.e., 85%) of the technological requirements?
- Do we have the right process and staff expertise to properly leverage the new technology?
You can check out the full research here:
Avoid These “Dirty Dozen” Network Security Worst Practices
Summary: This research identifies 12 commonly observed network security practices that reduce network availability, increase expenditure or risks, and alienate end users. CISOs should avoid these practices, and they can do so without sacrificing security posture or breaking the bank.
PS – It’s not the network….but.. if you think it’s the firewall…