As an industry of security professionals, we all work to provide ever better solutions to the organizations we serve, but we must also take care to not let our own rhetoric lull us into a false sense of security, lest we become poster children for security breaches – not an effective business strategy by any stretch of the imagination.
A lot of organizations have what sound like good policies, but they end up getting caught short because they follow their own policies, or they don’t do it consistently. In many cases, they may not realize they aren’t following their own guidelines – something changes, but they don’t realize it (or don’t recognize the impact of small changes in their security posture).
Recent events that – when mentioned in certain company – are sure to elicit wincing, cringing, and groans of empathetic discomfort include:
- Bit9 Breach: “KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers…” Bit9 later acknowledged that the breach was in part the result of a simple SQL injection.
- Symantec NAV Source Code Breach: “Anthony M. Freed said he had been provided with a file that, after preliminary analysis, appears to contain source code for the 2006 version of Symantec’s Norton anti-virus product. He said this had been sent to Symantec and was awaiting its analysis…” Symantec later confirmed the company had been breached more than six year prior to the source code disclosure, but only subsequently became aware of the intrusion.
- HBGary Breach: “The embattled CEO of HBGary Federal has resigned his post three weeks after Anonymous hacked into the company’s network and stole thousands of e-mail messages. The ease Anonymous conducted the attack left the company that provides security services to the federal government red-faced…” The hacktivists xploited unpatched servers, weak passwords, and used social engineering to carry out the operation.
Some organizations heard about these incidents and thought, “If these security companies can’t do it, how can I?”
Don’t worry, nobody’s perfect and – when you get right down to it – security providers are regular ol’ companies just like any other, with ordinary people in their employ, intellectual property to protect, systems to maintain, budgets constraints to battle, and all the other challenges that non-security-oriented companies have to deal with on a daily basis.
They say, “the price of freedom is eternal vigilance,” and I think effective security bears the same price tag.
To better understand how security teams can accomplish the task of “walking the talk,” and ensure that security connects with the business, I asked our intrepid road warrior CTO Dwayne Melancon (@ThatDwayne) to explain what he is learning from the enterprise he works with around the globe, and this is what he had to say:
AMF: Are you seeing a shift in how security fits into our organization?
DM: Security is getting a lot more attention due to high profile breaches and incidents in the news. Additionally, security teams are being tasked with showing more business value (some may call it “return”) for the funding we receive. I find that we are competing with other business activities for resource – the business is asking whether they should give security more budget, or invest in a new marketing campaign, for example.
AMF: How should security efforts align with overall enterprise risk management?
DM: Security investments should align with the “shape” of the risks facing an enterprise. In other words, you spend more on things that are more important to the organization.
However, risk is only part of the story – impact should drive a large portion of your security approach and resource allocation. Ultimately, security activities need to be traceable so you can easily show how they defend or enable the enterprise’s goals. This means we need an integrated risk management approach so everyone is on the same page about what is most important to the business, and the relative importance of everything else.
AMF: How can security executives prioritize what’s most important to their organization?
DM: One way is to tie security back to the mission of the organization: How it makes money, serves customers, reduces cost, protects reputation in the market, etc. You can also relate it to the “must protect at all costs” elements of your organization, such as protecting intellectual property or military plans, protecting customer personal/financial/medical data, protecting the integrity of information, etc. The important thing is for each organization to own the priorities – you can’t use someone else’s, as these priorities are unique to each organization.
At Tripwire, we rely on the involvement of a cross-functional Risk & Security Oversight Board to determine priorities, look at risk holistically, and ensure we don’t focus too narrowly or tactically.
AMF: How are organizations measuring the impact of security on our business?
DM: Some examples or key indicators are the percentage of incidents that result in loss, incidents that compromise availability objectives, incidents we detected vs. those detected by others, percentage of our systems configured according to our internal security policies, and so on. Many organizations also measure customer and internal user satisfaction on security topics in order to gauge confidence, as well as to balance the “convenience vs. security” equation to match the level of risk.
One of my favorite metrics is “percentage of incidents detected by an automated control.” I like this one because it helps drive better efficiency by driving toward automation, which helps in a few, key areas: First, it forces you to understand how your incidents are detected and which controls are contributing to your awareness. Second, it helps you reduce the cost of security, which really helps to get non-technical executives on board. Third, it helps take some of the “drudge work” out of the lives of your senior security analysts so they can spend their time on more interesting things. That last one is a key to retaining good security staff.
AMF: How do you know you are measuring the right things?
When metrics and dashboards drive action, decisions, and productive discussions between the business and our security organization, we know we are focusing in the right areas. When they cause non-technical stakeholders to take responsibility for the security in their own areas of the business, you’re really on to something.
AMF: What are effective ways to communicating security efforts with other business units and the C-suite?
DM: I believe in providing periodic dashboards (weekly or monthly, depending on the stakeholders) with high-level, trended indicators. These should be color-coded, as graphical as you can produce, and should definitely use language that business people outside of IT will understand – that is, the best communications about security should mirror the nouns and verbs in the company’s annual report or business strategy.
AMF: How can you make security efforts more visible to the rest of our organization?
DM: Part of this is internal PR – posters, email campaigns, etc. We hold brown bags to discuss security topics and give people a chance to ask questions, and provide videos on key topics so people can get to the information on-demand. We run regular security awareness training (online) with periodic follow-up to help with retention.
That helps build a base of historical information. When you communicate this information, you can increase the organization’s engagement by breaking out results by business unit manager, which drives healthy competition to keep people’s attention on this area. Nobody wants to be last on the list, and nobody wants to be in the red. I find this “internal competition” strategy gets executives to pay attention.
AMF: How do you keep security aligned with the organization’s objectives moving forward?
DM: Earlier, I mentioned our Risk & Security Oversight Board. That Board helps set the priorities initially, but their job is ongoing. They are the group that keeps things aligned, links security to our business, and ensures there is alignment on the relative priorities the business faces with regard to security and risk.
When we agree, it’s easy, but this Board is also where we resolve differences in opinion, political tug-of-wars, and other things that could cause us to fail.
The Board includes senior management from across the company, which helps establish tone at the top and makes it easier to create energy and momentum outside of information security.
AMF: Any specific advice on better connecting security efforts to the business?
DM: Find a “coach” or advisor to help. I find teaming with the CFO, the Controller, General Counsel, and Internal Audit can help. They understand controls, think about risk at the corporate level, and – perhaps most importantly – can help you create data, metrics, and presentations that are compelling to a very senior, non-technical business audience.
AMF: Can you offer one key takeaway for security teams?
DM: When dealing with executives, use metrics that include words and metrics they instantly recognize and care about. Stick to small numbers, primary colors, and up/down trending wherever possible.
* * *
All this week, we will be at Infosecurity Europe and BSideLondon talking to infosec pros, CISOs, hackers, and everyone else who is involved in producing and consuming the wide array of security solutions available in the marketplace, seeking to better understand how it is we as an industry can better serve our constituency.
We won’t be able to talk to everyone of course, but we are interested in gathering all the input we can on the subject of connecting security to the business, so please let us know your take on the issue with a comment below or through private correspondence (firstname.lastname@example.org).