With all the laws and regulations in place today why should I bother about strategic security planning? Being compliant with them must be enough, right? Many organizations today are still running their security shops in “New York cab mode”. They spend most of their time in responding and reacting to “things” bumping into their way. As we all know, there are many things coming up on a daily base from left and right and especial from the top of the house. The New York cab driver does exactly the same.
Others are asking consulting firms to come in from time to time to check the status quo. As a result they get a remediation list, containing required security projects, which they call then their security strategy. They may close existing holes and remediate some older security risks but the security organization overall remains incident driven and does not operate in a proactive business focused fashion.
Things are changing these days and senior security managers begin to see the value of using established strategic planning principles to guide their efforts. Goal is to apply a formalized process for setting strategic goals based on existing risk information and business objectives. With such a plan in place you will have defined objectives you can measure and report on. You are in control and not every incident impacts your overall situation.
Recently a lot has been published about proper Information Risk Management, how to write policies and other aspects of security governance. What’s about a proper strategic plan for preventive and detective IT Security controls?
Lets have a look at a car. If we take the compliance driven approach and design a car based on them today, it would have at least the following safety components installed:
- Lights & signaling equipment, preventive components
- Brakes, steering and suspension, preventive components
- Seatbelts, preventive component
- Crumple zones, preventive component
- Mirrors, detective component
- Speedometer, detective component
- Maybe anti-intrusion bars and pedestrian protection system
This car would function and I could use it legally on the road. We have both preventive and detective components on board and riding it may be very funny. But would the majority buy it as their family car? Most probably not!
Let’s include the expert advice next. A proper analysis of our safety situation would show that compared to other car manufacturers our design misses the following important safety components:
- Airbags, preventive components
- Anti-lock breaking system (ABS), preventive component
- Traction control system, preventive components
- Emergency break assist, preventive components
- Adaptive headlamps, preventive components
- Cargo barriers, preventive components
Wow, now we have a much better and safer car at hand, right? We can travel faster and we are still safe. With the remediation plan in place we must be now on the road to success. Why are the customers still not super enthusiastic about our model?
Ok, ok. Let’s develop a strategic plan to design our car, which fulfills the requirements, our customers are looking for these days. It also needs to comply with all laws and regulations and addresses all currently known safety risks. After analyzing the situation together with a proactive approach allowing our company to outperform the market, we have these additional safety components on board:
- Automatic breaking, preventive component
- Infrared night vision, detective component
- Reverse backup sensors and backup camera, detective component
- Adaptive cruise control, preventive components
- Lane departure warning system, preventive components
- Tire pressure monitoring, detective component
- Precrash system, detective component
As a result we will come up with a car our customers are interested in or even dreams about. Within the IT Security world the business is our customer. You all know that they are normally very demanding, asking for a lot willing to pay as little as possible. We are very similar when we are about to buy a new family car.
I am absolutely clear that it is now always that black and white. If your organization does now have higher security demands, as it is not handling any kind of confidential information, the first approach may work for you. To stay with the car example, the car below has not a single safety component from option two or three and even the components from approach one are not fully covered, but it is a fantastic car if handle by a very skilled person who is able to control and handle it the right way.
We in IT Security can learn something from the car industry. Each modern car has a security concept in place balancing between prevention and detection. Logging and monitoring in our IT Security world for example is a typical detective control helping us to compensate. If we have not implemented a layer of preventative controls at the first place, it is unlikely that we will derive much benefit from our IT Security logging and monitoring program.
We can differentiate our L&M approach to focus on three layers:
- Compliance monitoring: See how our preventative controls are being enforced (prevention is better than cure)At our car we monitor for example if our breaks are functioning correctly
- Black list monitoring: Unauthorized activities e.g. Password cracking, intrusion, unauthorized changes, malware, data ex-filtration attempts etc. – this delivers proactive approach to stopping attacks both internal and external while in progressWe monitor for example the traction of our wheels to ensure a safe ride
- Anomaly monitoring: Authorized activities but may indicate a threat scenario in progress e.g. Any statistical anomalies such excessive number of servers not sending security events, large number of wrong passwords etc.We monitor for example the tire pressure of our wheels
The more we focus on our strategic approach, the higher the probability that we will deliver real business value. The more we are in control of the overall situation and the existing information risks the better. Early prevention is the key, as we don’t have to fix problems and handle incidents later on. At the same time it is a big chance for the IT Security organization to earn business credibility.
“Lets make it happen”