What distinguishes a good security program? One of the hardest questions to answer in the Information Security field is whether our security program is good, or not. It’s a question we want to answer for many reasons, not least of which include:
- Assuring my boss, my CEO, my Board, my company that the money and resources they’ve entrusted me with are appropriate and well utilized.
- Being comfortable that we have done the right things to make a breach, theft, intrusion, etc as difficult and unlikely as possible.
- Measuring your security program in an easy to understand, clear fashion.
Based on many years of my own experience, I’m going to tell you what I believe constitutes a good security program. One that is appropriate and effective. A program that you can measure and demonstrate that you are doing the right things. This is all about taking care of your “below the line” responsibilities. Those are the responsibilities that are your job, that you are just supposed to take care of, that the CEO doesn’t want to hear about every day.
Please notice that VP of Marketing is not busy giving the CEO metrics on how many FTE hours were spent creating powerpoint slide decks for the sales people to use. This is the sort of “I’m busy” metrics that should never be used outside your own department. Of course you are busy, that is what your organization pays you to do.
Okay, so what makes a security program appropriate and effective (which is a good way of defining “good”) and can also be measured? I can sum it up pretty easily.
- Do security basics really well.
- Do good threat & attack intelligence.
- Do good incident response
Yep, that’s pretty much God, Country, Motherhood and Apple Pie sort of stuff. But it also happens to be very, very true. If you go look at security incidents that are reported publicly, you will discover that the vast majority of them were not the dreaded “Advanced Persistent Threat” or the nation-state bogeyman. I talked about that in an earlier blog entry, actually: Vulnerability Management Re-Visited.
What you will find is that almost every time a company’s security is breached and critical assets are exploited in some way that the company failed to do security basics well. And frankly, if you don’t do #1, you are going to have a hard time at #2 and #3.
Let’s put this another way. Gartner said at their recent Security & Risk Management Summit that doing the basics of security well enables an organization to reduce the risk they face by up to 80%. You read that right. Do the basics. Stop worrying about the Chinese Army for crying out loud and start worrying about threat and vulnerability management, patching servers, access management, encryption, solid policies. In fact, here is the specifics according to Gartner (I’m in total agreement):
- Patch and Update (yep, they listed it first)
- Good fundamental policies
- Security education
- Encryption where it’s warranted
- Serviceable perimeter protection
- Identity and Access Management
Let me reiterate …. this solves up to 80% of your risk. If you are not doing this stuff well, you are not running a good security program. The definition of what “good” looks like is out there. Gartner is a good source. Companies like mine are a good source. Yes, of course we are selling products and services. But we’ve also been doing penetration testing and vulnerability management since 1996 and actually know what a good patch and update program looks like. So look to peers in your industry, to analyst firms and to product and services vendors to see what doing the basics well means.
What about the other two? Pretty simple, really. If you don’t know who is going to attack you and how, then how on earth can you possibly do the basics well in the first place. Perhaps I should make Threat & Attack Intelligence #1 and the basics #2? Anyway, figure out what the threat is. If you are a hospital, it’s probably not the PLA. If you are a retail store, it’s probably not medical insurance fraud types. Focus on the bad guys that threaten you. Focus on their real capabilities. And then determine how and where they will attack. See my post explaining that You Can’t Defend Without Intelligence.
Finally, you need to be able to do good incident response. You’re only reducing your risk by 80 to 90 percent by doing 1 and 2. Something bad is going to happen. If you can’t detect that it happened and respond to the incident, you are going to be in deep trouble. The last thing you want is to have the FBI and the credit card brands show up at your front door to let you know that your network is breached and tens of millions of credit cards have been stolen. You want to be the guy that realizes there is a bad guy operating inside your network and can go to the FBI (or appropriate law enforcement agency for your scenario and country) and provide them with the information and evidence needed for them to take action on your behalf. Good incident response is measured by building a capability and then testing it yourself.
Stop worrying about APT’s and start worrying about the guy that is busy breaking into your un-patched print server and pivoting from there to your credit card data stores. Stop telling your CEO about how many virus infections you cleaned up and start telling him how much risk you are taking out of the business. Start running a good security program by doing the basics well.