Andrews Apologetics

I  just came back from InfoSec yesterday.   Nice location this year, albeit a bit remote from everything.  It was interesting hearing the topic this year on the show floor.  “RISK MANAGEMENT”

My thoughts.   You can not have Security Risk Management (SRM) by just dropping in a box and turning it on.  No, SRM incorporates a process whereby you have solutions (key word) that are used effectively, and can translate policy to actionable events which identify, and aid in minimizing your risk in various areas.    It was amusing to hear people hawking their wares by saying “…with our Data loss prevention (DLP), you have total risk management!” 

First off, Data loss prevention on a server?  Think about it.  If someone walks off with a laptop or hand held, you can not enforce data loss measures if you don’t have control of the endpoint on and off the network.  Host is the way to go for starts. 

Second thing I heard was Application controls for DLP.  OK.  Here we go again…. Agree that we can open documents from Word with any MSFT application (IE, Excel, Wordpad, etc).  If you miss one of those applications, or for that matter, any windows compatible application that had OLE or other compatibility funnels in the back end – your data can be compromised! Period!     Again, the right solution in this case is to tag your DATA.  No matter what you try to do to it, copy/paste, IM transfer, P2P transfer, even print screen to an unauthorized printer, it would be prevented.  This is the better way to go in my opinion.

SRM, however, is not a point product.  It is a solution that still incorporates the defence in depth methodology.  It incorporates processes and the ability to understand your assets, risks, countermeasures, and measure against your policies for compliance.  And lastly, it includes the education of your most valued resources – your people.    Viewed from the eyes of business continuity and infused with business acumen, this Security Risk Management is just that – management , ergo, a process incorporating methods, tools, and proven metrics to lower risk posed to a customer. 

From business prospective, SRM bridges the gap between CSO/CIO/ and Auditor though processes, with the IT Operations methods.   In short, SRM is common ground where strategic can cohabitate with tactical to unify the goals of reducing risk for the whole company. It makes sense in this way….not as a single “box” (technology) or product.  Nothing is that good or can accommodate for the people and/or processes.   

InfoSec definitely was worth going to if you missed RSA or live on the “other” coast.   It was interesting to see who are leaders in the SRM space, and who is just ramping up.  2007 will definitely be about the discussions of SRM and how the impact is translated to a business.  This day and age, it is imperative that Risk is in the security vocabulary, and solutions, not a single product is sought after when addressing anyone’s security initiatives.

 Just my two cents worth – a penny for your thoughts?

Years ago I was a network and physical security director.  That meant that aside from network security, I had the honor of making badges, recommending security measures within the physical office, and such.  I can honestly say that it caused headaches many days, but was rewarding as well. 

I see this as being a trend in that we are unifying both disciplines.  There are definite pros and cons to this method of security.

Pros:  Unified security policies, and a one stop shopping (if you will) to security.  Streamlined responses which are complete from the day of hire to termination.  By complete, I mean that when you suspend someones account for the network, you follow up yourself with locking out their badges to the properties as well.  In many locations where security is an afterthought, this helps in locking down your environment where it can be safe for the employees.    Similarly, when creating  new user for their start of employment, you have the complete portfolio to give them, and offer an education “boot camp” on policies and expectations for the use of the security tools.

 Cons:  It is a handful to manage, as it takes two different thought processes to master.  Lets face it, network and physical entry take on different methods and practices.  Staff is another “con”. Typically when having both pieces on your plate, you are typically left with less staff than what you need, or would have been assigned if the two were separate.  In short, you get less resources, more responsibility.  Budget is strained as you have to accommodate for both camps, and management only sees one line item on the roll up ledger labeled “security”.  They don’t like to spend for security – period.  It does not make them money, it is an expenditure in their eyes….and “ hey?!  Nothing happened so far!”   (Don’t go there).

In short, it seems like this is becoming a trend to unify both.  The motive could be resources (money, staff, training), or what ever it maybe.  My take is that if you are going to take a job which incorporates both, make sure you have the following:

1) Board and Corporate buy in.

2) The security department reporting up to a board member, president/CSO/CIO (directly), or the legal head of the company (think risk management)

3) a budget which incorporates the right amount of staff, tools (or else you become the fall guy/gal when laws of plumbing apply from a crisis), and education formalized in a budget somewhere.   Don’t fall for the promise of “we will get to it when you tell us”   – spell it out for them that security costs less than the risk of something happening and ruining their production.  Ask for their Risk assessment from their business continuity plan.  This should be in line with there security budget to some degree where it should be a realistic ratio of expenditure.

4) lastly, the time-frame:  Make sure that if they are holding you to a time-line, make sure you buy into it before accepting the position.  Buying in would require full disclosure of their skeletons in the closet in order to be pulled in to that meat grinder.  Make sure you ask a LOT of questions.

I am up for your experiences.  Drop me a note and we could compare security scars.