This is the first of a series of posts covering themes I talk about all the time. The theme today is keeping things simple.
Last week I spoke at the Interface conference in St. Paul. It was a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics. Slides are on my slideshare page. In that talk I frequently referenced keeping our security program simple.
This has to happen on many levels. Policy is a critical component of any security program. The language and concepts in policy need to be easy to understand. People will try to do the right thing it they can understand what they need to do. If policy is loaded with technical jargon and doesn't simplify complex concepts, it will lead to confusion. If staff are confused, they will just keep on doing what they are doing with the expectation that someone will correct them if something is wrong.
In addition to clearly written policy, you also need to break things down further for training. I'm a big fan FAQs, top-10 lists and what I call the "hitch-hiker's guide to policy". With these you get right to the sound bites or short bullet lists. Whenever possible keep things to 1 page. You can tailor your message to a specific audience or situation for instance, top 10 policies for new employees.
It's also important to keep things (relatively) simple on the technical side. Here I mean that we need to be sure that we have the basics, the simple stuff, covered. For instance, we are always reading about APTs (Advanced Persistent Threats), state sponsored cyber attacks and cyber war. However, if your workstations aren't patched and your users are still running IE6, you have no business buying the latest whiz-bang next-gen firewall. You need to make sure you are covering the basic areas in your security program like patching, awareness, policy, monitoring, vulnerability management, network security, access management, SDLC, defense-in-depth, etc., etc., etc. When you've got the basics covered THEN go after the latest advanced threats.
And, the same advice holds true for communicating with Senior Management. Your top executives are very busy and concerned with a wide variety of issues. You may think that they don't care about security but they do. All executives understand risk concepts. So you must package your message appropriately. Use risk language. Keep it short and simple.
Of course, YMMV and your priorities may depend upon your industry segment, regulatory environment or other factors.
So, how do you break things down for users or managers? What examples of effective simplicity can you share? What areas of your security program are the most difficult to simplify?