As you’ve probably heard, yet another security ‘emergency’ was discovered, threatening everything we hold dear. While the media made a huge deal, security professionals everywhere groaned – but why?
For security professionals, this should be business as usual, an opportunity for us to demonstrate our professionalism, our value, how we earn our money and, more to the point, why we earn it when these ‘emergencies’ are not happening.
All we should hear from security professionals is glee as their well-oiled machines switch into gear and they get to prove that they are able to operate at times when mere mortals quake in fear. For many though this is not the reality.
The reality of these situations is that they expose all the weaknesses, tradeoffs, resource constraints and other things that blight security programs everywhere, turning these occasions into embarrassing fire-fighting exercises intertwined with mumbled, ambiguous answers to uncomfortable questions from bosses, customers, executives and even your own people.
If, on these occasions, you are scrambling, saying ‘I don’t know’ a lot or look like a deer in the headlights, then chances are, when the dust settles, you need to take a serious look at your security program.
The security program is the one thing that is supposed to ensure that these occasions are a time to shine, rather than a time to brush off your resume. The security program is something based on a huge body of work by very intelligent people that you can implement at your leisure. It is the very thing that should be purring out nice reports of color charts that tell you all is right in the world and helps you sleep soundly at night.
If this is not the case with your security program, there is one single measure that determines if your security program is effective and it has nothing to do with how invulnerable you are to things like Shellshock. The one single measure of the effectiveness of your security program is that, no matter how bad things are, your higher ups are not surprised.
In situations like Shellshock, your executives should know the issues and risks as they are finding out about the latest cyber scare on the evening news. The security program not only tells you how secure you are in terms of the controls you have but also in terms of those you don’t. Coupled with the maturity you are operating at it tells you where you need to get to and what it is going to take.
These are all things that should be disclosed to management, auditors and risk committees continually. If you spend your time glossing over the reality of the situation, or hiding the truth, then you will be sorely tested by events, such as Shellshock, and will most likely be held responsible when things go wrong.
In short, if you cannot secure the enterprise, the one thing you must do is ensure that this is communicated, understood and signed off on. If you have not done that, then your security program really has failed.