By: Nat Puffer
I recently had the opportunity to spend a little downtime with a colleague who does a lot of writing and thinking about security. As we talked about what crashing economies, tightening budgets, and 2009 in general might mean to IT security, he made an interesting statement,”There is no such thing as a security diet pill.”
We’d seen so many security programs fail, not because of a lack of resources, but because of a lack of discipline or understanding. They had been operating like someone who is furiously trying to get in shape purchasing fitness products and diet books in bulk. The results were exactly what you’d expect, some initiatives worked great for a short while. However, in time, most became exercises in installing the newest exciting product or were abandoned all together due to the pace of business. Technology was courted as a series of solutions instead of what it is, a tool for getting the most out of the work you put in.
So here we are with the same goal we’ve had for a while. The budgets are shrinking and the problem isn’t. Time to put our feet up on the dusty weight bench, have a cheeseburger, and resign ourselves to the way things are, right?
Or maybe we can look at this as an opportunity. Perhaps this is a good time to take stock.
Measuring initiatives by the budgets they carry or the technology they purchased isn’t going to resonate with upper management the way it once might have. Fiscal tightness will start to require security fitness. We know the tools are laying around, we bought them all. Now may be a good time to make sure we’re using them the best we can. Now is a good time to make sure we’re putting in the work.
See your Doctor Before Starting any Program
What are your true security strengths? What are your weaknesses? What are you trying to protect? Are all your assets of equal value? The answers to these questions should be your guide going forward. This is also the point where you need to ensure you’re taking an honest look at the situation. With the resources you’ve already amassed, what is your capability? Politics has no place here.
Set Realistic Goals
If you don’t even have an IDS in place, don’t create a mandate that every packet in the network will be tracked by next quarter. Understand the limitations imposed by your business, your current capability, and your culture. Realize that changes, especially ones involving adding restrictions or controls, take time to adopt. The bright side is that you’re first goal is to use the technology and systems you’ve already paid for more efficiently. Install the IDS. Update it. Tune it. Integrate the data with your vulnerability scanner to create a more accurate risk profile.
Maintain a Healthy Diet
Fear, Uncertainty, and Doubt are the hallmarks of an unhealthy security diet. News channels propagate this. Conferences do their share. Industry trade magazines don’t help. The net result is security programs that think they are being reactive to cutting edge threats, but are never truly increasing their over all security. Gartner declares IDS is dead; IPS is the new future. You mean IDS with blocking? So everyone upgrades and tears out the infrastructure. Attention isn’t paid to the original problem. Nobody ever upgrades the signatures. Nobody ever looks at the alerts. Before you spend resources looking into Vishing attacks, ask yourself if you have any assets exposed by attacks on an automated call system? Is that exposure more critical than the current initiatives?
There’s no Substitute for Exercise
I haven’t seen anyone talking about security as a continuous process lately. I’ve heard about programs, initiatives, even sprints. At its core though, security is something that should be part of the organization and the culture. Evaluation and improvement of the system should be done through continuous movement. Small steps with a commonly understood purpose. The guidance of Security Offices should become integrated into the business operations of the organization. Monitoring the effectiveness and providing honest, actionable feedback should become routine. Eventually, testing of the system will become a non-event. It’ll already be in shape.