In Information Security, you must first define your goals. These goals have to be realistic and inline with the resources at your disposal.
One of the questions I like to ask security professionals is, “What is your security strategy?" Amazingly, the response often contains phrases like “We have firewalls and IDS’s on the perimeter”, or “We do vulnerability management using vendor xyz”.
Now, call me a stickler, but I have to smile at the thought of Napoleon being asked about his strategy at the battle of Austerlitz. He likely would have responded with, “Well, I am going to use cannon, and then grenadiers, and I also have some cavalry”. That, of course, is not so much a description of a strategy, as an inventory of the available resources.
Another common answer usually goes along the lines of “We have a security policy that defines secure usage, and secure procedures”, which once again, if applied to Napoleon would translate to, “Our soldiers are being taught to use their weapons and to understand orders”. The quick-witted reader will have noticed that this also does not describe a strategy, but rather processes.
The most common response, and by far my favorite, goes something along the lines of “Our strategy is to keep hackers out, and monitor internal users”. That is the goal of course. Literally, that’s the goal - not a strategy. A strategy should somehow lead to the goal.
According to Dictionary.com, one definition, and the one most apt for our purposes, is:
a plan, method, or series of manoeuvres or stratagems for obtaining a specific goal or result;
Couched in those terms, most businesses do not appear to have anything even remotely resembling a strategy, aside from wanting to “Keep hackers out”, or “Win the war” in Military parlance. It is little wonder that most organizations fail abysmally in securing their assets, when even what constitutes a strategy is grossly misunderstood.
In the case of Information Security, you must first define your goals. These goals have to be realistic and inline with the resources at your disposal. If you have a huge user base for example, with little control on where they are and what hardware and software they use, you cannot hope to successfully provide full spectrum security, just as a heavily outnumbered force without heavy support could not hope to win a pitched battle against a far larger foe. Similarly, if your available budget and resource pool is too small to secure the entire infrastructure and user base, you need to assess and prioritise where the greatest risks lie and focus managing identity and access control to these valuable assets.
Precedents and inspiration can be found in military strategy and history, which also concerns itself with very similar concepts, such as having to police and monitor large populations, securing and defending strategic assets against superior strength and numbers, and controlling and managing access to critical resources. Strategies such as checkpoints, (in our case, data) fortresses, and layered defensive lines are as suitable for the corporate intranet as they are in Baghdad or Kabul.
Strategies are nested, meaning that there are different layers, or sub-strategies that together combined comprise the overall strategy. If the overall strategy for example is to manage and control access to all data and resources, the sub-strategies would each outline different approaches towards doing this, like a strategy to always be able to uniquely identify all network participants.
Far too much value is placed on buying the standard basket of technologies; Firewall, IDS, Anti-virus, and the other usual suspects, oftentimes without proper assessment of whether this portfolio is strategically the most suitable choice, nor then deployed tactically the most effective. Sadly, regulatory compliance has considerably exasperated this one-size-fits-all approach, meaning that a large chunk of that ever so tight security budget is already spent and spoken for, but not necessarily to best effect. There is now a new and upcoming generation of security technologies that blur the traditional definitions, of what constitutes a firewall for example, and these may not get the traction that they should if they appear to take away a percentage of the security budget needed to adhere to regulatory compliance. That would be a pity and counterproductive for the overall security posture.
These additional technologies, if the budget still allows it, are then usually added to this baseline checklist, usually to address further requirements and provide additional specialist functions, and are as a consequence treated as appendages and not fully or holistically integrated. But a thorough, well thought out strategy also has to be implemented and executed well, meaning that if your initial strategic assessment identified IAM, or DLP as important, these should be the leading technologies, around which all else is built. Anything that provides the foundation of your strategy should also be treated as a fundamental component, with supporting technologies taking only a supporting place. Most importantly, these different solutions have to be tied together, and the accompanying strategy should consider how they overlap, to provide layered security akin to chainmail, with each layer overlapping at multiple points.
To provide an illustrative example, tanks were initially considered by many as death traps and a failure, originally used as mobile battering rams or artillery. On paper and in theory, they looked like a great idea, but proved rather easy to eliminate, for example by simple infantrists sneaking up from behind and attaching an explosive charge, until trial and error showed that the deployment of accompanying supporting infantry and lighter armoured vehicles greatly countered this weakness, and once fully integrated turned them into the personification of the ultimate heavy shock cavalry that we know and stand in awe of today.
A strategy, or strategies, should somehow lead to fulfilling identified goals and priorities. Just buying a selection of off-the-shelf solutions, without proper consideration of how these integrate, interlock and interact to provide a fully layered security approach will build a very expensive, unmanageable insecurity nightmare, as many depressed and demotivated security engineers can attest to. In addition, it will provide about as much defence against hackers as a paper-bag. Without a strategy to tie all of the defensive and protective measures and technologies together, they are like an army without a general, or like a computer without software.