Tip 1: Building a C+ Security Effort – 5 Tips to Achieve What Your Execs Want & Your Business Needs:
You Only Need an A+ Security Posture if a Life is at Stake
This series will explore 5 tips to build a sustainable, repeatable & effective C+ security effort. One that can pass security audits, comply with regulations, while still maintaining a strong dose of practicality. Time to go from F to C+, baby!
Tip #1: You Only Need A+ Security Posture if a Life is at stake
Almost every security regulation or framework out there is written to implement a security benchmark that does not include any situational context. Do I really need to perform complex risk analysis if I am an ice cream provider to protect against something like my website from being defaced? Seems kind of silly when you think about it, but if you follow most of the available frameworks there really isn’t guidance on where to draw the line. Further, I understand the potential brand impact and all the great buzzwords we always use in security to try and get these types of efforts funded.
The bottom-line is that in security we often only present an A+ benchmark and associated solution, deficient of practicality being driven and designed by security folks with the “goalie” fear we described earlier in the first article in this series. In the end, this often leads to a situation where the A+ risk assessment approach is presented, which horrifies management into doing nothing, and then, “Surprise!”, nothing ends up getting done, or an F approach is executed for you scholastic folks.
In the example above, this is played out as:
Security Folks: “We need to perform a full-blown assessment of your website Mr. Ice Cream Maker”.
Ice Cream Maker Owner: “No way are we doing that, I really don’t care if my site is hacked”
End Result: Nothing ends up being done
Security Folks (At Bar over a beer): “This is not what my CISSP Prep book said would happen.”
Now let’s look at a different scenario: How about instead of performing complex risk analysis on the web-site at this ice cream manufacturer, we are instead analyzing security risk with protecting the manufacturing facilities from the inclusion of bacteria during production via terrorist activities? Different story, huh? At least for all of our families’ sake, I want it to be A+++ effort (and you should too).
So I know it may be controversial, but in almost every situation these days when I measure how to implement security, I shoot for a C+ benchmark to attain practicality, which gets the effort funded, which gives the organization what is needed, unless a life is at stake. It really is that simple.
Read Part 1: Making the Security Grade