Monday, April 22, 2013

Stuff I Say - Do What Makes Sense

   Today I'm continuing a set of posts I started last year.  These ideas are covered in a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  The first two posts are here and here.

   The idea of doing what makes sense is central to my thinking (about many things).  In security, many people base their strategies and tactics on what they read or what others are doing.  But you can't provide useful information security based on what you read in a book.  One size does not fit all.

   When we don't do what makes sense, we end up with ineffective controls (like this ineffective control from one of my favorite security pictures).

   What works in one organization does not necessarily work in another.  This can be true for a variety of reasons including differing regulatory environments, organizational culture and kinds of assets/information.  This is why I've never liked the phrase, or idea of, "best practices".  I prefer "good practices" (more on that some other time...).

   It's easy to say we want to do what makes sense.  But how do we put that into practice in our organizations?

   Here are 2 considerations:

Risk Management approach.  Rather than using strategies and practices from a book, we need to understand a number of things about our organization including:
  • what "stuff" do we have?
  • what stuff do we need to protect?
  • what threats do we know of?
  • to what threats are we vulnerable?
  • what is the potential impact if these threats manifest?

   Asking these, and subsequent, questions can help lead to a better understanding of the environment

   Then... Seek out and destroy policies/practices that do not add value!  Consider:
  • ineffective controls - find them and get rid of them!  And, if you do remove a control, make sure that you let the users know!
  • annoyances that effect people's perception of security - convenience v. security is always a trade-off, but your controls must take into account people's work practices
  • what makes work harder - security and IT must support the business.  If complying with controls negatively impacts the business you may find your program overruled.
  • overly strict practices can cause people to try to circumvent controls to get things done.
   This doesn't mean that the security organization allows a free-for-all.  My point is that by considering how users need to use the systems, examining alternatives, and working with your business partners, you can come up with a set of controls that protect systems and data, meet regulatory requirements AND allow people to get their work done.

   Can you think of ineffective or unnecessary controls in place at your organization?  How have you partnered with business users to come up with controls that meet all needs?

No comments:

Post a Comment