I need to vent a little bit today. If you’re a security professional pay close attention. If you’re anything else, make sure your trusted security professional pays attention. If you’re a fan of football, the American version, you know what it means to do tackling drills. It’s simply getting back to the basics. All the defensive schemes, cover options, etc. are lost when you simply can’t tackle. When you, the defensive player make contact with the defensive player, you must be able to stop them. Period. End of discussion. Hit’em hard and knock them down or tie’em up long enough for your teammates to help out. If you can’t do those things you need to get back to the basics.
We information security professionals need to get back to the basics sometimes too. Far too often we get caught up in all the defensive schemes such as intrusion detection, application testing, web application firewalls, blah, blah, blah. We’ve forgotten some of our foundational techniques.
I’m going to highlight a few of these in hopes some of us will put on a “throwback” uniform and get back to the “old school” days of information security.
It’s all about information security. Information is the critical term here. Not computer, not server or network security, quite simply…information security. Our job is to protect information, regardless of its state. (Electronic, paper, verbal, etc.) This may not be true in all companies, but it should be and we as professionals need to consider this.
Risk management should be our primary motivation. Just because a risk exists doesn’t mean you need to worry about it. Let the business be your guide. As you become better at driving a car, you learn to watch the road far ahead of you and not worry so much about what’s right at your bumper. We need to do a better job at seeing the risks on the horizon and prioritizing those with the ones under our noses.
Policy and procedures matter. Efficiency is gained and errors are reduced when a process is documented and followed. Without the process, periodic failure is almost assured. We need to place more emphasis on getting systems and applications well documented before moving on to more “mature” techniques.
Location, Location, Location. If we really are worried about information, then the location of that information is critical. “Mothers, it’s 2am, do you know where your children are?” We’ve all heard it and it’s absolutely true. You can’t secure what you don’t control. Finding where your data resides and determining the risk in those locations is paramount to the success of your information security and risk management program.
Walk first, then run. Re-evaluate where you are on the maturing continuum every now and then. Have you taken any steps backwards? Are all of your process documents still valid? Do you have a valid data inventory, has your company made any acquisitions or mergers recently? Our business and technology landscapes change constantly. What makes you think your risk and security posture will remain constant.
Don’t be afraid to take a step back every now and then and run some tackling drills. It’s better to reinforce some basic ideas in a system that’s working well than to wait until everything is falling apart. We have to stop keeping up with the Jones too. Just because all your peers at a conference are buying a new technology doesn’t mean you’re ready for it. As a business owner, I’d rather be working toward maturity slowly and methodically because at some point, the going’s gonna get tough and I want to be prepared to handle it, not just have the badge that says I can.