I'm an eternal optimist, and I think it's the job of information security professionals to be constantly active in attempting to improve the state of information security. You've got to keep a ducking and a diving with the grace of Muhammad Ali, taking the opportunity for a tactical win when the rare opportunity exposes itself.
Some maxims that are useful to keep in mind:
1. Success is defined as having the information security program aligned with the business's desired residual risk level. Some notes to consider below:
- management must make the informed decision to run "cheap, lean and risky" not be blindsided by security incidents
- security done well can be a competitive advantage to a business by reducing the costs of doing business when compared to their competitors (i.e. reduction in losses and security cap-ex and op-ex with no increase in risk)
3. Most intrusions (according to the 2009 Verizon Data Breach Investigations Report) are due to year old vulnerabilities so don't focus on obscure stuff and forget the basics like secure configuration/deploying security patches/ squishing SQL injection vulnerabilities.
Some common challenges encountered and tactics to consider:
- when "bottom up" vulnerability management efforts stall due to business application owners not approving costs/outages for secure configuration/patching/remediation of application security issues try "top down" approaches such as developing a security charter in conjunction with executives and then from that developing a security policy set (aka ISMS) that requires "vulnerability management"
- when information asset classification efforts are failing due to lack of business process documentation and inventory and asset management processes, try some inventory activities yourselves (i.e. some port scans) and share the results with the operations team to kick-start efforts.
0 comments:
Post a Comment