Mon 9 Nov 2009
Building a security program from the ground up
Posted by andyitguy under Security Programs, information security
[7] Comments
I was listening to Pauldotcom Security Weekly episode 172 (yes, I’m running behind) the other day, which by the way was very good. They had a great interview with Prajakta Jagdale who works for HP (via SPI Dynamics) as a Web App Security Professional. She knows a ton about web app security and does a great job of explaining it. But, that’s not the point of this post. Part 2 or the podcast included some conversation by the guys on what would be the first and second thing that they would implement if they were starting a new position and had full say on what to do.
That got me to thinking about what I would do if I had the opportunity. So I’m going to tell you what I would do and then ask you to do the same. Tell me what you would do. If I had the poll module installed on my site I’d do a poll but for now I’ll just let the comment section be our poll.
Here are a couple of assumptions: They already have a firewall and host based security suite installed and up to date. Beyond that, it’s a crap shoot.
If I were coming into a company and had a free hand to do what I wanted I would first look at what I could do to get the biggest bang for my buck quickly and then focus on the long-term strategic planning. It’s easy to say I’d do “x” and then “y” but actually implementing them is another story. It takes time to plan and test it before you can roll it out. I’d say the first thing I’d do is implement a monitoring system so I can have some insight into what is going on. Probably something such as Snort in pure IDS mode just to give me something to go on.
Once that was in place I’d probably implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc…. As that is being rolled out I’d be working on getting a good Security Awareness Training program to help my users understand the risks. Others things that would be going on at the same time would be related to governance. Working with the business units to see what their needs are and ensuring that Policies and Procedures were relevant and effective.
This is just a starting point. There is much more to be done this should get things going nicely. Obviously this is just a exercise and much of the real decisions would depend on the current security posture, risk, vulnerabilities, business needs, etc.. So now it’s your turn? What would you do? What comments do you have on what I’d do?
Now that all the platitudes have been uttered and you actually have the job, the first thing I would do is determine exactly how committed the executive management team is to supporting and fostering an environment where information security is important. I am going to need to know the answer to that question before I can proceed much further.
Let’s assume that the team is behind us. In that case, my next step is going to be to determine the maturity of the company’s information security policies and standards. The number of times I have been told “Show me the policy” before I can get anybody to do anything is countless. Need to shore up that front before I begin trying to make changes.
Once those two things are taken care of, I would begin with the tactical type steps you mention above pretty much in the order you mention.
-Kevin
I’d buy the Pragmatic CSO and then do that… Yes, a little tongue in cheek, but you do have to understand what needs to be protected, figure out where the leaks are, and then put in place a triage plan to address the most pressing concerns.
Mike.
http://blog.securityincite.com
http://www.pragmaticcso.com
Congrats for thinking of security awareness! Picking up on what Kevin suggested also, I’d probably focus the early awareness one-on-one sessions with senior managers first, starting by informing them about the basics about threats, vulns, business impacts, investment, risk management, security control, compliance and IT governance (that’s all!), meanwhile trying hard to find and push whatever buttons they have in order to turn infosec into a hot topic for the organization.
Demonstrable strategic fit between infosec and business goals is one thing rational managers can hardly argue against, at least not openly!
Using your Snort and vulnerability management info, coupled with IT audits, security reviews/gap analyses, incident reports, pen tests and whatever other security status info, metrics and horror stories I can gather from the organization, I’d consistently but gently point out the generally poor state of security (not scaremongering, oh no!). Then, having whet their appetites for “something needs to be done” I’d pull out the ‘good practices’ card based on ISO27k or others [doesn't matter too much at this stage which one: it's enough if they swallow the concept of adopting generally accepted information security standards as a way to drive up the organization's security maturity, leveraging what lots of other organizations and experts have already figured out].
Then I’d probably be ready to offer them a coherent security improvement strategy for discussion and (hopefully!) funding.
At each stage, I’d try to get ahead of management’s game so whatever comes next in my cunning plan is already being prepared while they are still mulling over current issues. The point of this is to get some serious momentum going as there is inevitably a lot of inertia to overcome. Also, every interaction with management is an opportunity to tune in to corporate politics, find supporters and detractors and look for shared goals.
In summary, I guess I’m proposing initial management-level security awareness activities as a lead-in and to justify the main security improvement program, rather than merely as something to be delivered to management in the course of the security program itself (which it will be, but later on as a separate activity).
I’m not sure how well this fits with Mike’s Pragmatic CSO approach but I’d be interested to know of any major departures!
Cheers,
Gary
Andy, I think I’d pretty much start with the same general focus as you. I’d want to know what the environment looks like. If there isn’t an inventory system in place, better get one. Start some scans, start some monitoring, find out what is present and what the security state of those things are. This should then help formulate what projects should come next.
So, in short:
inventory system/asset scans/vuln scans
monitoring such as an IDS
There are so many other things though, that would be just fine, like the management and policy focus of above commentors. Or looking at what requirements you can get at your back from the start to help push projects to completion. And security awareness so you’re not fighting a lonely, uphill battle at every minute.
I’ve just posted a lengthy response on my blog at:
http://www.secureconsulting.net/2009/11/how_not_to_build_a_security_pr_1.html
Basically, I found this post interesting, Andy, but rather naive. I think you make some bad assumptions that in the end can doom you. I mean, despite being hired for such a position, it turns out you can’t even assume that people actually want you there, let alone for you to be successful or to change anything. fwiw.
-ben
I think that all of you have provided Andy with some really good pointers – and among them, I think that the best two are to obtain Senior Management’s “Buy in” and support – and that this should be communicated from the TOP! This action should be coupled with an initial Information Security Awareness effort to win the masses over – however, this has to be done in a relevant way dependent upon whom your audiences are (IT, End Users, Senior Management, etc.). Don’t bring them to your level, Andy – make sure that you bring yourself to theirs. Walk their walk and talk their talk. Be an advisor and not an adversary – and remember, behind the highest level of technology down through the lowest, there are always human beings out there behind it that design it, plan it, develop it, test it, and use it!
Good luck in your endeavors!
Paul W
Gary…Glad you asked this question.
The main question, especially in information security, is to determine if you’re future boss will provide you the “autonomy and authority” to get the job done. No, if’s, ands, or buts, it’s there or it is not. If there is some ambiguity on this, then move on to another company. Support from direct and indirect management is vital to ultimate success. Without this important characteristic, it’s not going to work.
However, should you pass this crucial obstacle, and accept the position; there are quite a few unanswered questions:
Current/future business strategy/model
Current IT/Security infrastructure and personnel
Annual budget for Security
Current Security state internally
Basically, you have to know what the current situation is, what risk issues exists, and how you’re planning to resolve them. This will involve a thorough risk management process. Once this major step is completed, it’s time to develop a long and short term security strategy. Throwing technology and equipment around at the start isn’t wise as familiarity of the infrastructure is required especially before strategy development. Strategy development will include the people, process, and technology blueprints integrated with the layered security (both physical and logical) transparent flow. Naturally, this will take time, but not as close as the implementation process.
The budget allocation requires development to follow your security strategy. There are times where the most expensive is not necessarily the best. This depends on the amount of risk discovered and accepted by senior management. The higher the risk/consequences, the higher the budget per your given security strategy.
Personnel can be a fixed or variable asset depending on the security strategy. The best option is to hire him/her with multiple skill sets with sound experience and education. Furthermore, they must think 3 dimensionally, handle many responsibilities, and synergize these responsibilities to drive solutions. Give me 3 of these individuals, over 15 normal ones, and I’ll show you a World-Class Security Department. The smaller it is, the narrow the communication process, the higher collaboration rate, and the tighter agility expounded as a team or individually.
There you have it in a general sense. What I left how is the attitude a manager must bring to the table, but I’ll save it for my future blog.
Michael Stephen Ruiz
http://www.linkedin.com/in/TopSec1