Andrews Apologetics

I  just came back from InfoSec yesterday.   Nice location this year, albeit a bit remote from everything.  It was interesting hearing the topic this year on the show floor.  “RISK MANAGEMENT”

My thoughts.   You can not have Security Risk Management (SRM) by just dropping in a box and turning it on.  No, SRM incorporates a process whereby you have solutions (key word) that are used effectively, and can translate policy to actionable events which identify, and aid in minimizing your risk in various areas.    It was amusing to hear people hawking their wares by saying “…with our Data loss prevention (DLP), you have total risk management!” 

First off, Data loss prevention on a server?  Think about it.  If someone walks off with a laptop or hand held, you can not enforce data loss measures if you don’t have control of the endpoint on and off the network.  Host is the way to go for starts. 

Second thing I heard was Application controls for DLP.  OK.  Here we go again…. Agree that we can open documents from Word with any MSFT application (IE, Excel, Wordpad, etc).  If you miss one of those applications, or for that matter, any windows compatible application that had OLE or other compatibility funnels in the back end – your data can be compromised! Period!     Again, the right solution in this case is to tag your DATA.  No matter what you try to do to it, copy/paste, IM transfer, P2P transfer, even print screen to an unauthorized printer, it would be prevented.  This is the better way to go in my opinion.

SRM, however, is not a point product.  It is a solution that still incorporates the defence in depth methodology.  It incorporates processes and the ability to understand your assets, risks, countermeasures, and measure against your policies for compliance.  And lastly, it includes the education of your most valued resources – your people.    Viewed from the eyes of business continuity and infused with business acumen, this Security Risk Management is just that – management , ergo, a process incorporating methods, tools, and proven metrics to lower risk posed to a customer. 

From business prospective, SRM bridges the gap between CSO/CIO/ and Auditor though processes, with the IT Operations methods.   In short, SRM is common ground where strategic can cohabitate with tactical to unify the goals of reducing risk for the whole company. It makes sense in this way….not as a single “box” (technology) or product.  Nothing is that good or can accommodate for the people and/or processes.   

InfoSec definitely was worth going to if you missed RSA or live on the “other” coast.   It was interesting to see who are leaders in the SRM space, and who is just ramping up.  2007 will definitely be about the discussions of SRM and how the impact is translated to a business.  This day and age, it is imperative that Risk is in the security vocabulary, and solutions, not a single product is sought after when addressing anyone’s security initiatives.

 Just my two cents worth – a penny for your thoughts?