Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Getting the biggest bang for the buck.

So, if you’re an IT security manager, and you live in the real world of constrained resources, how do you decide on your priorities?

I know there are a lot of different ways to slice and dice the Security Management Program pie, but just as a strawman I’ll throw out these categories:

  • system and network configuration
  • application security
  • physical security
  • policies and awareness
  • incident response
  • monitoring and detection
  • legal and audit compliance

A little clarification:  you’ll find buzzwords like “vulnerability scanning” and “firewalls” under system and network configuration.  Incident response in this case means training and preparing for incident response, not actually doing it (of course incidents take top priority).

And you’ll notice that I put compliance in its own category, because I don’t believe there’s a complete one-to-one correspondence between it and any of the other categories.  It sort of sits over all of them, but not very well.

Do you tend to be event-driven?  When you have an incident that was caused by a lack of something in a particular category, do you put that one at the top of your priority list?  Do you try to give equal time and attention to all of them in an endless Whack-a-Mole loop?

I’m going to be a little radical here and toss out the idea that your first priority and your greatest effort should be in awareness and security education, with the rationale that since security depends on people, if you do nothing else but teach your organization how to Do the Right Thing, you’ll get farther than by pushing harder on the other categories.

Security managers can’t be everywhere at once.  You have to depend on the system administrators knowing how to configure systems securely, keep the patches rolling, monitoring their particular systems, and knowing when to call you if they see something funky.  You have to depend on developers knowing the basics of secure application design, because you’ll never be able to check all their code.  The general users have to know what to do, what not to do, and be encouraged to ask questions when they’re not clear on policy.

So I’d argue that you’ll get more tasty tuna by teaching the rest of the organization to fish than by trying to keep up with all the nets yourself, even if you’re the Net.Professional.

Posted by shrdlu on Thursday, July 27, 2006
(0) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages