Thursday, July 9, 2009

Security Management

I've had a lot of time to think about what I consider to be the key success factors to good security management. I've only been doing information security for about six years - so it is not a huge length of time really. But I've worked in a lot of different environments over time and like to think I'm reasonably observant. I also pride myself on learning from the mistakes of others and not just my own.

So, with that said, I'm just going to post some of my own thoughts on this subject, but I'm very keen to hear what other people have to say. Particularly from those who have been doing this a lot longer than me.

Know Your Business
What are the key business operations, what are the key applications and environments, what are the business drivers and understanding the risks that jeopardise all of the above. What is the business strategy? What is the IT strategy? Are the two aligned and how can security help to meet these objectives?

Understanding The Organisations Risk Apetite
Who are your business stakeholders? What do they consider risky? Is it in line with the business (see above)? Do the stakeholders themselves pose a risk to the business?

Educate The Business
Make sure your business stakeholders know what the key security requirements to the organisation are, make sure they have a basic understanding of risk management and treatment options. Make sure your application support and development are aware of common security flaws and have or otherwise work towards secure application development. Ensure your infrastructure teams are aware of security best practise and all your IT teams work towards having secure standards, templates and repeatable processes to ensure security is done right - first time, every time.

Enable, Don't Restrict
Look for ways to say 'yes' to the business, rather than saying no. Find ways to encourage and support new initiatives and ideas. Find a way to implement security in such a way that you win friends, don't make enemies.

Simplify Security
Security is already perceived as restrictive and encumbent on the business, by the business. If you can find ways to build it into your processes and procedures, ensuring that security practises are automated as much as possible - then the battle is half won. Most security failures can be attributed to either human laziness or lack of awareness. Assuming your practises have been established with security in mind prior to automation, this means that the work is of a consistent (secure) standard.

Don't Stay Technology Focused
Not that the technology isn't important (obviously) but you must accept that the growing number of attack vectors and constantly evolving technology ensures it is almost impossible to stay on top of everything. Think about it - ten years ago, XSS and SQL injection were brand new. Ten years before that and web applications and VOIP were unheard of. What will the threats look like ten years from now? Can anyone of us honestly say for sure?
Having a good but broad technical skillset is more important than trying to be the best at everything. If you want to stay tech focused, nothing wrong with that - however I would then suggest you pick one, maybe two areas that you are willing to commit to. Even then, be flexible enough that you can change/adapt with the times. Certainly don't neglect your soft skills (see below).

Keep Up With Emerging Threats
This may sound contradictory to the last point but it really isn't. You don't have to understand the finer points of every new form of attack. However you must understand at a basic level how they occur, how they can be resolved and identify people with the skillsets - both in your organisation and outside of it - who can help you to plug those gaps within your business.

Soft Skills
Security is never a one man show. Even if you have no direct reports, your ability to implement security is more dependent on your ability to articulate, educate and influence than it is on raw technical skill. You can't do it all.
If you cannot specify security requirements or define the security position without upsettings your peers and stakeholders, then you are not helping security in your organisation. Learning how to deal and manage people is a vital skill if you want to do well in information security. So much so, the longer I work in this industry, the more convinced I am of this.

Know When To Be Firm
Part of being a leader is to know when to stand firm. Sometimes in security you have to take the hard line. Knowing how and when to pick your battles is crucial. Folding into unreasonable business demands or trying to constantly acquiese to the business never wins friends long term. If anything it can be detrimental to how others perceive you. Worse yet, it compromises security.

Knowing When To Delegate/ Know When To Take Ownership
Know when to delegate work but also recognise when you need to take the work on yourself. Especially the high risk items, the items of strategic importance to the organisation. Be clear on your reasons behind those decisions and stand firm on them (see above).

Have Passion
People who are empassioned are motivated. Their enthusiasm rubs off onto others. You have less uphill battles and more discussions around how to implement something rather than why.

Don't Take It To Heart
Security in the real world is an exercise in accurate risk management. The risks aren't yours - they are identified by security for the business to own. In that role, you are basically the messenger. If you haven't worked in security you may be suprised by the number of risks that are accepted on a daily basis.

Welcome to the 'real world' of information security. :)

Like picking the right battles to fight, you have to accept the ones you lost. Stay on top of your risk register as much as you can, try to make sure these risks aren't forgotten. Try not to take the risks personally (I personally struggle with this one) but just do what you can, with the resources you have and take solace in the fact that if your work has resulted in even one vulnerability being fixed, then you have made positive influence on your organisation and the world.

- J.

No comments: