Layer 8

Security’s greatest hits.

In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned out to be popular if they:

- were used directly by the users
- allowed the users to do something better, or faster, or better AND more securely
- helped reduce the risk of a legal problem

Never mind that we might have done something much more impressive with the firewalls, or monitoring, or something “under the covers.” It might as well have been plumbing. I could have gone to them and said, “We’ve replaced everything with the finest tubing and we won’t have any more leaks for 20 years,” they would have said, “Oh. Fine. Next?”

This is just to point out that not all “security impacts” are equal. We may spend a lot of time Fighting the Good Fight to secure against cross-site scripting, for example, but it’s often seen as much more valuable if it secures the way people are using data. In the eyes of the business—the ultimate risk decision maker—the more it affects/helps the users, the bigger the win. So from a practical point of view, they’re using a very different set of risk factors than we are from behind our consoles and our dashboards.

Which set is “correct,” which view provides the best understanding of the actual security risk, may never be determined. But an ISO’s job is to try to understand and reconcile the two as far as possible.

Posted by shrdlu on Thursday, May 22, 2008
(2) Comments • Permalink •

Next entry: Facing the business end of the 'scope.

Previous entry: I'll overcome my procrastination problem, just you wait!

Comments

LonerVamp

on 05/22 at 02:30 PM:

Of the things I’ve done in my current job over the past 2 years, including expanding our development environments, implementing IPS/IDS/HIPS, and supporting a brand new BCP/DR plan along with a new data center...what thing got the most positive attention to me by people outside my team and immediate manager?

Yeah, hiding file shares users didn’t have access to, so they only see what they can access (a standard Unix thing that isn’t standard on Windows). That took all of 5 minutes. :(

Gary

on 05/23 at 04:46 AM:

That’s a good point, an important one too if budget decisions are made by those same managers on the basis of their perception of risks and benefits, which they usually are.

I ‘saw the light’ on risk analysis about a year a go when a discussion got into the difference between ‘value at risk’ from the organization or white hat’s perspective versus that from the attacker or black hat’s perspective. One can imagine that, to the organization, a database of customer info including credit card numbers is a handy store that saves customers having to re-enter their details for each order, and perhaps a few more sales because of the convenience factor. To a hacker who breaks into the system and steals the database, each compelte record has a real dollar value on the black market.

To an infosec guy with a million jobs on his to-do list, a software vulnerability requiring a workaround or patch is just another task among many. To a script kiddie with a script which exploits that particular vulnerability, it is his route in to the network.

To the organization, an exposure of personal data is potentially a legal and PR issue, for a while at least if disclosed, and might even be no impact at all. To the individual/s whose identities are stolen, each little breach is the start of a living nightmare, trying to re-establish their credentials, credibility, credit record and trust.

Perspective is indeed a fascinating element of risk.