Hello folks,it's been a while but I wanted to start sharing some thoughts on again on a more regular basis, so I will try and post every couple weeks, or more often as I can.
Today I wanted to highlight a couple issues that I as a consultant often see with my customers. When I perform an assessment of their environment, I'm often asked a couple reoccurring questions.
""How do you think we would do in an incident?"
"Do you think we need to buy XYZ tool or technology?"
Often the Information Security teams I am working with are new and are in the process of building/rebuilding due to some type of change (merger/acquisition, change in staff, divestiture, or program/leadership change).
In almost every case my answer to the first question is going to be, everyone needs to continue to prepare and be vigilant, even organizations where they believe they are ready for an incident will struggle a bit when the event finally happens (or more accurately once they finally detect it). There should always be an aspect of continuous improvement to your Information Security program, each service needs to be measured, and must have metrics that can show how well things are working and how then, with additional resources or adjustments, can be improved.
My answer to the second question is almost always going to be, "Probably not, how do you approach that today?" Unless you are a new company or a very small company, you have probably been buying software and solutions over the past 10 years. You probably have more software or solutions than you can legitimately use, and definitely more than your team can reliably manage. Your organization would probably benefit more from additional staffing or training of your staff vs. a new tool/toy that can't be leveraged due to staffing or lack of knowledge.
If you don't have a documented process or procedure for something you do regularly, write it down and get it approved as a policy. It will help you to train new staff, provide you with a place to send developers and project managers when they ask for requirements, and if you have any compliance requirements, will need to be done anyway. Too often when I am working with a customer, they will explain a very arcane process to be in detail verbally, but have no supporting procedure or policy that they can refer to or use as a basis for standardization. This causes many many issues and is a poor excuse for anyone who is trying to be an Information Security professional.
Once you have the document created, be sure to review and revise it on a regular basis (annually is a standard approach). That way the information is current, and you can continue to improve on the contents of the document, with additional items learned over the prior year (from incidents, new threats, etc.).
June 19th 2015
Today I wanted to highlight a couple issues that I as a consultant often see with my customers. When I perform an assessment of their environment, I'm often asked a couple reoccurring questions.
""How do you think we would do in an incident?"
"Do you think we need to buy XYZ tool or technology?"
Often the Information Security teams I am working with are new and are in the process of building/rebuilding due to some type of change (merger/acquisition, change in staff, divestiture, or program/leadership change).
In almost every case my answer to the first question is going to be, everyone needs to continue to prepare and be vigilant, even organizations where they believe they are ready for an incident will struggle a bit when the event finally happens (or more accurately once they finally detect it). There should always be an aspect of continuous improvement to your Information Security program, each service needs to be measured, and must have metrics that can show how well things are working and how then, with additional resources or adjustments, can be improved.
My answer to the second question is almost always going to be, "Probably not, how do you approach that today?" Unless you are a new company or a very small company, you have probably been buying software and solutions over the past 10 years. You probably have more software or solutions than you can legitimately use, and definitely more than your team can reliably manage. Your organization would probably benefit more from additional staffing or training of your staff vs. a new tool/toy that can't be leveraged due to staffing or lack of knowledge.
If you don't have a documented process or procedure for something you do regularly, write it down and get it approved as a policy. It will help you to train new staff, provide you with a place to send developers and project managers when they ask for requirements, and if you have any compliance requirements, will need to be done anyway. Too often when I am working with a customer, they will explain a very arcane process to be in detail verbally, but have no supporting procedure or policy that they can refer to or use as a basis for standardization. This causes many many issues and is a poor excuse for anyone who is trying to be an Information Security professional.
Once you have the document created, be sure to review and revise it on a regular basis (annually is a standard approach). That way the information is current, and you can continue to improve on the contents of the document, with additional items learned over the prior year (from incidents, new threats, etc.).
June 19th 2015
Comments