All too often, the de-facto information security practitioner in an organization faces the reality that the goal of 100% security by any definition is met head on by the realities of the ever-evolving information security world and by policy, budget, and political realities. Pick and choose your battles.
Become that trusted advisor
As the key practitioner within your organization (perhaps you might even hold a title such as Information Security Officer), stick to the basic tenets of your true role. For one, you are essentially a trusted advisor, the ball-runner and responsibility bearer for much of the company’s security profile. Recognize early that no amount of effort, technology, and process will completely eliminate the element of risk to the assets of the network.
Back away from derision and dictatorial approaches. Being a general can be beneficial sometimes, but not when you’re trying to build a relationship with a team and decision-makers within an organization. The mechanics of division are too great a cost for the gain of a few minor battles.
Authority over people, process, and policy are better gained through the trusted advisor approach. Build your influence through effective communications to executives and decision-makers and the rest will follow. With the delivery of focused, clear security and systems information, decision makers are able to make the right decisions.
Complete security approach
Focusing on one or a few types of control in a security program can become a real problem. You can build a better, more complete security program using policy and procedures, technical safeguards, and appropriate training. Multiple defense points within your organization reduce the number of breaches and the likelihood that a breach will go undetected. Education and training are the best tools to prevent users from downloading unauthorized software that can create breach points to their computers. Antivirus software will defend against viruses delivered in an email payload. Certain risks to the environment are addressed by security policies on the system itself. Through this combination, the effective level of security is created. Remember this in your dealings and analysis of forthcoming changes and threats.
Proactive vs Reactive
This is fort building vs police action. Having a good analysis of the true composure of the organization in this realm reaps tremendous rewards for the organization that can step back and review what kind of organization it is. The analysis is very simple and involves the measure of how much of the organizational security process is proactive versus reactive.
Clearly the goal is to build a proactive practice, where the bulk of security work focuses on the planning and building that security posture. This involves things such as training, policy building and review, effective log analysis, and systems management. If your organization does not have the time to address these things, it’s time to hire some help.
Of course, reaction training lives on that fine gray line in between, but it merits mention. Education, training, and documentation provide excellent dividends in incident response situations for example. Having the right information and process can minimize and help identify the damage done in an incident. Making that information readily available is a product of proactive activity and may be a wiki, webpage, company response policy, or may just be a rehearsed process.
You will never be finished
The name of the game in security is change. Things change daily if not significantly, with new patches, vulnerabilities, new technology, boundaries of networks, new information, regulation, and the list goes on and on. In the world of information security nothing stays the same and your job will never be done. Therefore the focus turns to a few more
Some of the everyday tools that you can use are:
- Applications: New applications are coming up all the time, whether in-house or in the cloud, or as a “thin app”, the right security analysis will help drive business decisions. This will also provide the security environment profile with facts and critical understanding of how apparently small changes may actually change the very definition of what the secure environment is.
- Authentication: Assess the capabilities for ensuring that users who access information can be positively identified.
- Accountability: Analyze what controls are in place to ensure users are only doing what they should.
- Authorization: The adoption of new technology is driven in part by the desire for enablement. Know what process or technology is providing the secure access that the business wants and seek the knowledge of the security aspects within this technology.
- Physical security: Worry about the physical aspects of your network This is a critical piece to the security puzzle, especially as platforms, applications, and technology become more and more mobile.
- Know your network: Security breaches are overwhelmingly tied to unauthorized access by employees who are granted such access. Familiarize yourself with the people that have privileged access and review this information regularly through technology, audit, and policy.
- 'Policy enforcement: If you make a policy, enforce it. That’s why you are here. If you give ground once, you will give ground again and set the stage for weak or disregarded process. In those hopefully rare cases where an exception is required, ensure that a valid, documented and publicized business case behind that exception is identified. Make sure that your security policies are monitored and enforced. Executives and management may find ways to get around policy by “making the right call” to your boss. Users will find ways to get around such policies. This is why building that authority and trusted advisor role as discussed earlier, along with regular enforcement, is so critical. If it’s important to you, make it important to your supervisor.
- Reach out: Outside opinions often help serve an organization from the perspective of a fresh set of eyes, variety of experiences, and detachment from organization politics. Outside help and opinions also enjoy the luxury of being free of the specter of previous policy and processes. Use these resources for substantive assistance, analysis and deliverables regularly to help reinforce your organization’s security perspective.
Action Item: Regulations such as SOX, PCI, and HIPAA can obviously be very important and impact revenue. While efforts to ensure and maintain compliance are critical and a part of your job description, it is very easy to get lost in any these regulations, thus failing to recognize new potential threats and limit your security capabilities. By paying attention to the greater concepts at large and keeping the tenets of security integrity, confidentiality, and enterprise analysis within your practice, you can minimize the risk of such pitfalls and thus provide a better measure of security survival.