Untitled Document
 
Thursday, July 29, 2010
Home
News
       CISO News Feed
       Upcoming Conferences
       Newsletter Archive
Resources
       CISO Security Links
       Project Manager Security
       Security Program Development
          Security Program Considerations
             Organizational Drivers
             Security Strategy
             Mission & Mandate
             Roles & Responsibilities
             Security Policies
             Security Project Portfolio
             Training & Awareness
          Statistics & Metrics
          Regulations
          Ask The Experts a Question
       Glossary and Definitions
Publications
Research
       Security Stress Survey
       New Security Survey
Tools
Community
About Us
Contact Us
 You are here: Admin Tools * RSS Feed   Search
CISO/CSO Security- When To Handle Risk: Before, During, Or After

CISOHandbook.com

By Mike Gentile, CISSP & Ron Collette, CISSP 

mike@cisohandbook.com , ron@cisohandbook.com

 

In many organizations, CSO’s and CISO’s struggle with identifying the appropriate areas for their security program to influence the risk profile of the enterprise.  Should they try to prevent risk by ensuring that solutions are built securely before they are deployed, while they are changed once in production, or some time after the fact? This article will discuss each of these situations, as well as, how they come together into what we call the “Security Pipeline.”  We will begin by providing a more specific definition of the “Security Pipeline” and will then discuss the various impacts that can occur based on your participation within the different areas that comprise it.

 

As mentioned briefly above, the Security Pipeline is a continuum of potential areas of interaction for the security program when people, process, or technology elements are added to the production environment of an organization. In the most elementary definition, the security pipeline is divided by three entry points. (Figure 1): Before, During, and After.

 

Before: This area depicts actions that can occur prior to the construction of any new element within the organization; think of it as the analysis and design phase.  Participating in the design of new elements allows for the incorporation of security requirements (derived from policy) to be included before construction. This is a preferred position for a security program since vulnerabilities can be identified and mitigated prior to exposure in production.

 

During: This area depicts actions that occur when a people, process, or technology element is changed after it is in production.  In this instance, the interaction between the security program and the rest of the business usually occurs through the process of change control.  Insertion into this checkpoint allows the security program to maintain or enhance the integrity of the existing security profile even as elements of the production environment change.

 

After: This area illustrates post-facto events.  It generally takes the form of audit, assessments, or forensics. This would also include elements of the decommissioning process for older systems.

 

As Figure 1 below illustrates, the affect of a security program in regards to risk reduction is very high in the “Before” section of the pipeline.  As time goes on the affect begins to degrade and the risk of threat exploitation increases.  As a result, the optimal area of participation from a risk perspective for a security office is in the “Before” phase. In this situation, security vulnerabilities can be eliminated prior to ever entering production, thus creating a stronger risk profile than if the vulnerability is addressed during the later pipeline stages.

 

pipeline.gif

 

 

So I guess that security programs should focus all their energy on the “before” section of the pipe-line?  The answer: Maybe.  Aside from risk, there are two other elements that must be factored into the decision: Resources and Politics.    Let’s take a closer look.

 

Resources in this context equate to those of a security staffing nature. When discussing how resources enter into the discussion two items must be considered.  The first has to do with the quantity of staff you will require to be able to participate in the “before” or “during” portion of the pipeline?  Most organizations have many projects that will require participation from the security program. This can create staffing issues if the distribution of resources is not well planned or forecasted.  Furthermore, if there is a high quantity of projects, there will also be a many changes that will be required once the solution is in production.  This makes participation in the “during” phase also very resource intensive.

 

This leads to the second resource related item, even if you have the bodies, do they possess the right skill-set to perform the job correctly?  Participating on project teams as a security expert in either the “before” or “during” phases takes a very skilled individual. You need to understand not just security issues, but also those of a technology and business nature, since that will be the language of the teams you are working with.  If you do not posses the right kind of staff, participation can often do more harm then good.

 

In situations when you either do not possess enough resources or they do not have the correct skill-set, a more targeted approach might be the answer.  This targeted approach is usually better served in the “After” phase of the pipeline.  In this phase, you can choose where to participate; enabling more control over the amount of resources and the type of skill-set that will be required. The down side of course is the amount of time that passes before you can address risk when only working in the “After” phase. Before making a decision though, let’s look at the last item that should be considered: Politics.

 

Politics are a very strong consideration when choosing where to play in the pipeline. Positive participation in the “before” and “during” areas of the pipeline can lead to a view of the security program by the rest of the organization as willing to help out, supportive, or a team player.  Participation by the wrong type of individual representing the security program can lead to the security program being viewed as a “Know it all” or “inefficient”.  There are also risks if you solely participate in the “after” phase of the pipeline.  If you only work with others through the use of audits you expose your program to be viewed as “Big Brother” or the “Security Police”.  So what do you do?

 

The answer is that one size does not fit all.  Take a look at the three considerations that we discussed today (risk, resources, and politics) to aid in making the right decision for your program.  Often, it is a blended approach that supports balanced participation within all three of the different pipeline entry points.  As you begin to participate in the areas you deem as the most appropriate, make sure to listen carefully to the feedback you receive from the business and make changes accordingly.  This approach will be sure to manage risk effectively, ensure the best use of available security resources, and position the security program as a positive force within the organization.


Posted on Monday, June 12, 2006 (Archive on August 14, 2006)
Posted by CISOHandbook.com
Return
  
 
 
 
   Privacy Statement  |  Terms Of Use
Copyright (c) 2010 CISO/CSO Handbook