Approaches to Security Programs
While chatting with a friend yesterday about approaches to integrating security into a system or software development life cycle I mentioned something that bears repeating. There must be an overall strategy to a companies information security program. And strategy does not mean a list of projects to do for a given timeframe. Seriously though, I’ve seen a lot of companies approach the security game (yes, it is a game, didn’t you know?) with what I think is a reactive/product-based approach. I don’t really even think “approach” is the proper word here. Sure, there are some “no-brainer” products that most organizations need, but understanding what that need is and successfully implementing and managing these things are not at all the same. The product approach leads to great products that are poorly implemented, improperly managed and ultimately do not provide the value they are intended to deliver. This is because they can only deliver when surrounded by a coherent, realistic and repeatable process. But even this isn’t, in my opinion, the root cause. The root cause is the lack of an overall strategy, approach, plan or whatever you want to call it to the various facets of an information security program. Instead isolated islands of projects pop up without any sense of the big picture.
Now, back to my discussion. My advice was to loosely model the CMM. I say loosely because we only need the general concepts (with some modification) to steer us in the right direction. The CMM is focused on levels of maturity. As you progress upward in the CMM things become more defined, repeatable, measurable and optimal. First thing to do is to map out the various security products, processes, initiatives and what-not to the levels of the CMM. Of course I bastardized the CMM, because I made the point to say that things like security in the SDLC come after other more pressing issues get to level 2. It wouldn’t make sense to begin a full scale SDLC project when antivirus, patching and firewall management processes are not working at all. The ideas of the CMM is to allow you to take the various categories/tasks of information security and see where your gaps are and to plan more strategically to address them. The ad-hoc, on-demand approach can work, but you get stuck in that cycle.
I’m not saying that processes, strategies and plans are the keys to a successful program. What I am saying is that these are usually conducive to creating discussions that address the appropriate problems, allowing people to stop and think about what they are or are not doing and, ultimately to develop some achievable and realistic goals. Many times, unfortunately, organizations are stuck in the producto-reactive cycle.
Epistemological Relativism » Bare Bones Security on 15 Jun 2007 at 9:13 am #
[...] There is a rant over at Observations. In it the author rightly points out that user training is ineffective when you do not have a minimum set of security measures in place. For those not in the inner sanctum, we’re talking about information security. Basically, the rant is communicating that we have to pick and choose our battles. I’m totally on board here. In fact, I spoke about there here. The challenge is that everyone’s bare bones security measures are very different. In fact, over at Observations he practically throws in the kitchen sink! Don’t get me wrong, all of the measures are great, but integrating all systems into AD, starting a threat modeling effort and NAC are definitely not bare bones. Not even close. Now, I know this was a rant so I won’t be too critical here, but you can’t put everything in the bare bones category. It tends to lose meaning that way. Instead, after the author calms down, another attempt should be made to prioritize these efforts. Yes, you must prioritize. Especially in the security space where there is always work to be done, we have to select those efforts that will produce the greatest positive outcome. I know, great is vague and nebulous, but you know what I mean. Check out the laundry list, it is nice, a little idealistic, but nice nonetheless. [...]