It Often Starts With Anarchy
As far as we’ve come with information security, the landscape still feels like the wild west. Every day we read about the cyber equivalent of ungoverned towns terrorized by enterprising criminals who pillage as they wish with seemingly no consequences. The good guys are few, and the sheriffs are too far between. Maintaining the peace rests upon you; whether you asked for the job or not. Swiftly reacting to intrusive foes may grant you the right to fight another day, but getting ahead of security risks warrants a proactive, strategic plan with structured management oversight.
Assemble Your Strategy
Security spending is estimated to exceed $75 billion dollars US in 2016. While it’s good news that security spend is increasing, there’s a broad range of security products to choose from and knowing where to allocate funds requires a strategy.
Security programs are often derived from venerable frameworks such as the SANS Critical Security Controls or ISO 27000. Although comprehensive, these frameworks can be daunting at first. A more simplistic approach revolves around building a security program based upon a limited set of foundational pillars which serve as security program categories or “tracks.” For an emergent security program, about four to five pillars should be sufficient. For example:
- Business Alignment – Security should support the business and must not impede company objectives.
- Security Awareness – The securing of human beings and the internal “marketing / PR” of information security.
- Governance and Compliance – The management aspects of security, such as planning and measurement, as well as adherence to internal and external regulations.
- Vulnerability Management and Incident Response – Finding and managing vulnerabilities as well as responding to crises.
Formal security frameworks have granular controls that conveniently “roll up” into these pillars. For example, the SANS Critical Control 20 (Penetration Tests and Red Team Exercises) can be aligned with the Vulnerability Management pillar. Likewise, the ISO 27001 control A.15.2.1 (Monitoring and review of supplier services) can easily align with governance and compliance. Taking a page from agile methodologies, the objective here is to start small with a handful of pillars, then over time scale into something more industrial strength without much “throw-away” work. Essentially pillars are baby steps that pave the way to broader ISO or SANS-type programs.
Find Your Pillars
As noted, pillars represent your security program’s high-level “tracks.” Your enterprise will likely have different pillars, and you may have more or less than five. Regardless, these four simple steps can help identify your organization’s security pillars:
- Identify what’s important to the organization; be it money, intellectual property, customers, etc.
- Enumerate potential threats posed to the items identified in step 1.
- Determine protection and mitigation strategies to prevent threats from intersecting with important assets.
- Iterate through steps 1-3, and categorize activities into fairly general categories. By consolidating categories wherever possible, categories will start to form distinct pillars.
It’s not always easy to identify risks; especially when you are unfamiliar with the current threat landscape. Fortunately, external assistance may prove useful in such situations. A security consultant can provide comprehensive threat models, and security companies like Infoblox can provide free security assessments that identify active threats on your network which were previously invisible.
Manage Security as a Program
Once you’ve identified the general pillars of your security program, each pillar will start to develop associated sets of projects and ongoing activities around improving security posture. There are numerous tools in the security expert’s repertoire to support this effort, but a couple staple artifacts worth calling out are the risk register and operational security reviews.
The risk register is essentially where one lists risks, and summarizes how these risks are being managed. It’s not rocket science, and contrary to popular belief, it doesn’t require the purchase of exorbitantly expensive software. In fact for newly-founded security programs, a spreadsheet works just fine.
While the risk register may be appropriate for executive review, operational security reviews are intended to track progress (or lack thereof) on a more tactical level. For instance, tracking progress in the “vulnerability management” pillar may warrant metrics which track the number of high-risk system vulnerabilities, exploited vulnerabilities, average time to patch, and so on. These metrics must resonate with system owners and those responsible for day-to-day operational security so that they have actionable data to improve security posture.
In summary, a security program is a continuous journey that never ends. Like most journeys, it starts with a single step, and will certainly have pitfalls along the way. Perfect security is unrealistic, so don’t be afraid to fail. How we manage and adapt are infinitely more important.