Thursday, May 20, 2010

Best bang for buck security initiatives

If you are a CISO or even a security analyst what are some of the best ways to make a visible impression and change the risk profile of your organisation ?

Well here are some suggestions:
- conduct security awareness training customised to business unit processes.
- identify your key business processes and systems by interviewing business unit leaders
- perform a risk assessment of the top ten riskiest business processes and top ten systems for each.
- pick a key system, vulnerability scan its infrastructure and present the results with proposed fixes.
-identify a list of projects underway and risk assess the top ten riskiest
-engage someone to identify and test your internet facing web applications
- talk your infrastructure people into doing an inventory of devices on the network
- monitor outbound web traffic for botnet command and control communications
- benchmark patch levels of 3rd party apps on top of desktop standard operating system SOEs

Well that's the end of my brain dump ! Hope it helped you out with some ideas!

Posted by Matthew Hackling at 5:48 PM

2 comments:

mcw said...

Is there evidence that we could use to compare the effectiveness of security awareness training to other mitigations? Is security awareness training objectively the "best bang for the buck"?

May 20, 2010 10:14 PM
Jarrod said...

I had touched on this in an OWASP talk. In short, developer training works, user training doesn't. Not that it shouldn't be done but I wouldn't invest a huge chunk of time.

There's a lot of stuff out there in terms of scoring visible impressions on the board - I defer to stuff like the Pragmatic EA ( see here). EAs have been at this for longer, or at least better experience than most security architects IMHO.

Long term, these will add value but in essence, good architects and managers need to chalk up runs on the board and quickly to establish credibility and value otherwise they risk being seen as ineffectual and running things from their "ivory towers".

Taking your example, why not take a few of your suggestions that can be done quickly and generate rapid results within the first 30 days? There was an article in CIO magazine ages back that suggested that effective leaders at that level need to have an action plan for generating results fast. Security leaders likewise need to do the same.

May 22, 2010 11:23 PM

Post a Comment

Subscribe to: Post Comments (Atom)
Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : allblogtools.com Blogger Templates