When I was a kid, my grandfather had a heart condition which required him to take digitalis. I was always warned not to mess around with Grandpa’s medicine, because it was poisonous and would kill me. I was always curious how medicine that was good for one person could kill another. That’s a strong argument for never taking someone else’s prescription medicine, isn’t it?
One drug cures all?
In the business of information security, a lot of people want to prescribe security frameworks for you, without spending any time diagnosing your condition. For example, we have the SANS Top 20, the Australian Defence Signals Directorate’s Top 35 Mitigation Strategies, the OWASP Top 10, and lots more.
I often talk with organizations who are using these as-is to guide their implementation of security controls – presuming that security is a “one size fits all” proposition. That presumption is bogus. Security, like risk, is very context sensitive and each organizations security requirements and risk tolerance is unique. That means there is no universal “best practice list” for what controls will make you secure enough.
Sure, there are some common controls that each organization should adopt. One example is system hardening (aka Security Configuration Management or SCM), but systems hardening is a set of practices that is independent of what standards you use for hardening (in other words, everyone should have a similar process but the policies can vary widely depending on the needs of a given organization).
Diagnose, then prescribe
Don’t get me wrong – I’m not saying there is anything inherently wrong with the individual items within the “security advice” documents I mention above. I just think organizations need to do more diagnosis of their own conditions before they decide on the order and priority of their security controls and strategies. If you simply follow the checklist without adjusting the formulation to fit your organization’s “symptoms,” you may find that your security approach has a bunch of holes in it that could endanger the success of your business or mission.
I recommend taking a top-down, risk based approach to security assessments, then using the results to scope, prioritize, and “prescribe” a set of actions appropriate for your organization, based on the specific sickness (aka security weakness) you’ve diagnosed.
You might still end up pursuing one of the famous Top 20 lists, but I bet you will find that you’ve adjusted the order of implementation, and tuned some of the contents in each step. You may also find yourself adding a step or two here & there along the way.
After all, if you take someone else’s prescription medicine, it could very well make your situation worse. Take the time to adapt your security approach to match your security requirements and issues.