Rothke was about to give a presentation on this very subject at the 2013 RSA Conference in San Francisco, but he gave us a sneak preview on the show floor just beforehand.
They may seem simple to many of us, but ask yourself, are all five effectively being deployed in your organization? Take a look and ask yourself if they are.
- Have a CISO: Somebody needs to drive security. For example, a Chief Financial Officer is critical for driving finances. Similarly, a Chief Information Security Officer is critical for spearheading the company’s security practice.
- Risk Management: Risk drives everything. The CISO understands the risks and threats the organization faces and designs a security program around that. This must be customized and not a series of standard “best practices.”
- Invest in people not products: “The cost of hardware and software purchased has no corresponding effect to the level of security,” said Rothke. A company that has great talent using open source products will be more secure than a company that spends millions on proprietary tools but doesn’t intrinsically know how to use them.
- Policies and procedures: It’s very important to have standardization across all business units and processes. You want the firewall installed and managed in one location to be installed and managed the same way in another location. “If things aren’t done via standard processes you’ll have inconsistencies and that’s where security breaches and mistakes happen. When you don’t have common procedures and common practices things are done ad hoc, and ad hoc is the enemy of good security,” warned Rothke.
- Awareness – People have to have situational awareness of what they’re doing. For example, if you don’t have effective key management all the security you have will go up in smithereens, said Rothke.