What do you really need to know in order to run a successful information security program? As a professional security geek I somehow end up in conversations like this often.
Throughout the ages, many smart people have uttered phrases to the effect of “knowledge is power.”
But knowledge about what?
The security of your organizational environment is a complicated beast. And, as is true with any complicated beast, the more information you have, the better.
Sun Tzu put it well when he said “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
If Sun Tzu is correct, while you may have the greatest advantage if you know your enemy well, you are in the greatest peril if you do not know yourself well. This suggests that you have the greatest opportunity to improve your own situation if you have solid knowledge about yourself and your own capabilities.
Again, the question begets itself: knowledge about what? But that brings on a whole new set of questions.
1. How well do you know your critical data assets and systems? Do you know which data is the most important to your business? Do you know what of your data has regulatory requirements for its protection? Have you clearly identified customer and client information? Do you know what of your information is your own intellectual property and genuinely gives you a competitive advantage? Do you have at least a sense of the value of that information? Do you know what of your information a competitor or malevolent attacker would find valuable and target for compromise? Do you know which of your systems (including servers, cloud environments, client workstations, mobile devices and portable storage) contain any of this valuable information? Do you know how you are protecting the confidentiality of this information? Do you know what technology and processes you are using to protect the integrity and availability of this information? Do you know how this information is backed up? Do you know how any of this information and their supporting systems will be restored to operations if that becomes necessary?
2. How well do you know the skills and capabilities of your own people? Does your IT staff have hands on training and experience on ALL of the operating systems used in your organization? Does your IT staff have hands on training and experience in ALL of the systems used in your organization, including all database technologies? Does your IT staff have hands on training and experience in the networking protocols used in your organization? Do your IT and/or security staff have hands on training and experience in the security technology used in your organization (most notably in all of these that you use; IDS, IPS, firewall, routers and anti-virus)? Does your application development staff have hands on training in the application languages and tools used in your organization? Does your application development staff have hands on training and experience in formal application development techniques and technologies? Does your application development staff have hands on training and experience in secure application development techniques and technologies? Do your IT, security and production support staff understand their roles and responsibilities to protect client and customer information? Does your IT staff understand their roles and responsibilities to protect organizational internal proprietary and sensitive information? Does your IT staff understand their roles in event of a breach and the appropriate incident response?
3. How well do your IT and security staff know exactly what operating system and applications are running in your operational environment? Do they include servers, end-user client systems and all supported mobile devices in their tracking and management? Does your IT staff know exactly what operating system version number and patch level is on every production system as well as any development, integration and QA environments? Does your IT staff understand the value of maintaining an active patch evaluation process which actively helps keep all systems, operating systems, utilities and applications up to date? Do your IT and security staff actively track all appropriate vendor patches and the potential impact each could have on the functionality and security of your environment? Do your IT and security staff actively track vendor releases and patches to ensure they can obtain and evaluate new patches and updates in a timely manner? Do your IT and security staff actively track which vendor patches they apply to which systems in any organization environment?
4. How well do your security staff manage known vulnerabilities in your environment? Do they track vulnerabilities detected by staff as well as those detected from internal and external vulnerability scans? Do they include vulnerabilities identified in all portions of your environment, including in operating systems, utilities, third-party applications and vendor equipment? Do your staff understand enough of vulnerability management that they can effectively evaluate the results of vulnerability scans and actively patch and otherwise remediate vulnerabilities in a timely manner? Do your IT and security staff correlate found vulnerabilities with key or critical systems and information to help prioritize potential impacts and mitigation activities?
5. How well does your organization management understand your own threat posture? Do you understand your industry and competitors enough to fully evaluate the threat from competitive intelligence gathering, including from foreign governments? Do you understand the impact which non-security business decisions can have on your security profile? Do you know if you have recently taken any actions which elevated your visibility among potential attackers such as hacktivists? Do you know what the public perception of your organization is right now? Do you know if your industry is currently, or has been recently, under cyberattack? Do you know if any of your vendors, suppliers or partners have been or are under cyberattack? Do you know if your organization has been recently attacked, is under attack, or about to be attacked?
I leave you with no answers this time; only questions. These are, however, questions you should be asking yourself. And, for each of these answers, you should be asking two more questions:
1. Are you sure that you are getting the accurate answer, not just an answer that someone thinks you want to hear? You really do not want an answer, you want the answer.
2. Is that answer good enough? Does the accurate answer paint a picture of your organization which is good enough for what you do, and fits with your own operational risk level?
But be careful. Not everyone needs the best security. Keep in mind that there is a concept of “appropriate security” for everyone. Even security geeks can call some set of security controls “good enough.” But, make sure it is “good enough” because that is what you truly need, and not “good enough” because that is what you just happen to be doing at this particular moment in time.