Wednesday, January 06, 2010

In absense of a security strategy

From experience working with all manner of organizations there are a number of unique security strategies present in the industry. Since every business operates differently, perhaps there is no right or wrong approach. That is, as long as the approach is properly aligned with the goals of the business. If not, the end result will lead to failure and in my opinion represents one of the largest, if not the largest, challenges presently facing the industry. That along with “justification,” which is probably the same thing.

Here are the strategies I’ve managed to identify:

Incident Response (aka: public relations)
Ensure that the exact types of previous break-ins, that have also been publicly attributed to the organization, will (hopefully) never happen again. Organize a set of public relations talking points for media inquiry in case it does.

Compliance (aka: satisfy the checkbox)
Satisfy audit requirements for any/all applicable regulations where failure will result in significant business loss. Ignore the rest until they do. Decisions on whether a particular security safeguard is required should be left to the discretion of the on-site auditor, but only after appropriate organizational push back.

Risk Management (aka: control-based)
Implement minimum industry accepted best-practices controls that establish a defensible due diligence posture in the event of incident or public inquiry. Engage with a well-known security consultancy that may positively attest to your organizations adherence via a thorough risk assessment.

Business Continuity (aka: keep the boss happy)
Address any security issues that have previously inhibited managements ability to use email or view online adult entertainment. Other outstanding risks are considered secondary and should be revisited periodically by the security steering committee.

Identify and categorize the various threat agent that must be successfully defended against. Actively monitor threat agent activity, implement security control that limit their capabilities, and generate business-level activity reports.

Competitive Advantage (aka: customer-based)
Obtain a list of essential security controls from key customers/prospects, competitor technical literature, and provide assurance to customers that these highest standards of due care have been implemented.

Obviously many of these descriptions are meant to be humors while still reflecting some resemblance of today's organizational reality. Most organization adopt more than a single strategy to form their own unique hybrid approach to information security.


Unknown said...

"minimum industry accepted best-practices controls"

lol, nice oxymoron!

Jeremiah Grossman said...

Hey, I was being serious.


Richard Bejtlich said...

Great post -- although (and you may have thought this too) I see many organizations doing several of these at the same time, sometimes by design and sometimes not!