06.07
Thanks to Rafal Los @Wh1t3Rabbit of HP for writing this awesome article on the “Impending Doom of IT Security”. The article points to some of the key problems with information security in it’s current state. There is a huge disconnect between the business and information specifically in regards to how we fit in the environment.
The term security has become synonymous with security operations. I personally feel that is the biggest problem facing our industry. It is reminiscent of the late 90′s when SystemAdmins started seeing huge drops in salary, only to find out MCSEs now gave themselves the same title. Information security has evolved way beyond operational responsibility we are now in the Information Risk Business. We try to align ourselves with the business in order to mitigate the day to day risk. I cringe when I hear IT Security as that implies that we belong within the IT.
The new buzzword of the times is GRC (Governance, Risk, Compliance), which no doubt has been brought to market by Big 4, who come to the table with the thought process that Information Risk Management is a either black or white. In order to understand the risk involved with running your business, you must understand the value of the individual processes within your business. Security operations (firewalls, AV, IDS, SOC) guys for the most part are technical drones who while are good at there jobs, do not understand the business. The same holds true in the reverse, I also firmly believe that you can’t take a business analyst and teach him or her security. A control is not necessarily a tool or a technology, it is a mechanism to reduce a risk. It can take the form of
- Administrative (Policies, Procedures, contracts, etc.)
- Technical (Firewall, IDS, proxy, Encryption, and the list goes on)
- Physical (Cameras, Guards, Locks)
If you do not have a solid background in technology, specifically in security, you can’t possibly design or recommend controls that reduce the risk associated with that business process. The business is tasked with valuing the asset, as that they are the owner. A technical background is essential in order to understand threats which may exist against technology within your environment. Lets face it we will never be responsible in our field for understanding the risk of manual processes. Our job is protecting tangible and intangible assets, and for the most part anything an in house risk professional is responsible for will have technology attached to it in some form. The controls, might not be technical, but the process 90% of the time will be.
If you aren’t technical in nature, guess what your an auditor that can use a methodology that someone else had wrote without understanding why. Rafs’ article had a very good point on why the business sees security as a tool. They relate security back to appliances, firewalls, intrusion detection systems and so on and so forth. In my opinion that is because unless they are regulated by industry or government regulations they don’t understand it. They assume and for good reason, that the job of protecting the organization is part of IT. Hey, I got a firewall and AV I’m good.
We need to have a common stance among our profession on what a “Security professional” is;
- Are we Information Risk Managers? Yes
- Should we develop policy? Yes
- Should we perform threat modeling? Yes
- Should we be involved in the SDLC? Yes (includes CM)
- Should we perform risk assessments? Yes
- Should we do vulnerability & penetration testing? Yes
- Should we be part of supply management? Yes
- Should we be part of business continuity? Yes
- Should we be familiar with every regulation we are bound to? Yes
- Should we provide valuable KRIs? Yes
What do we not do?
- We don’t implement security
- We don’t accept risk on your behalf
- We don’t say No, regardless of what we think
- We don’t make business requirements
I’m sure there are a few things I left off the list, that we don’t do, but consider the ones we do? Would you feel comfortable in saying you can teach those aspects to a person that doesn’t have a good technical security foundation?
@Mckeay was nice enough to hold a roundtable as the topic for his weekly podcast on some of the frustrations that security professionals share with the industry as a whole. Thank you Martin! Podcast Also, please feel free to follow the conversation live using the hashtag
As always comments with the exception of spam are more than welcome.
#JADEDSECURITY Disclaimer: Next time don’t take podcast from couch after 10 cups of coffee while wearing gamer headset.
Excellent article. A couple of things to consider is that under ISO 27001 a security function can not report to IT. You’ll never get certified if the organization is not structured correctly. I usually use that as a “selling” point to have the security function moved under a different VP. If anyone finds a situation where the CIO doesn’t want to give up security, it makes a compelling case. ISACA had a whitepaper published a few years ago about the convergence of physical and information security. I’ve also modified the concept to recommend that both the physical security and information security governance function go somewhere else other than operations. Usually I recommend that it fall under Legal, Compliance, Finance, or Internal Audit. That usually depends on how the organization is structured.
Another area I start in to help with an engagement is to start with the CEO and CFO to understand the business. By starting there you understand the financial constraints and understand what is important from the business end rather than through the technology organization. The advantage here is that you can usually get a statement from the CFO on the amount of money to be spent on controls and how much residual risk they will accept. Devising controls is a lot easier if you have a risk acceptance statement and a CapEx budget to make recommendations off of.
Excellent post I’ll be adding you to my RSS!
thanks. good points but 27001 doesn’t specify the org chart, it states there must be an oversight of administration. that’s easy to slide by if you use audit as oversight. thoughts?
I usually approach it that the line item “Conduct internal ISMS audits at planned intervals” can’t really work if IT audits itself. I usually try to grab someone from Finance and have them on my side (that’s why the CFO is important to talk to first). Having Finance explain why they need an independent Internal Audit function usually clears things up. IT doesn’t have GAAP like Accounting does, but by taking the path down ISO 27001 an organization is taking it to the next level so it is kind of like GAAP for IT. Every ISO 27001 certification audit I’ve been at, the auditor does ask about the organization structure. By setting it up with the “ISMS manager”, who just happens to be the head of security and the whole security department, we manage to avoid a deficiency. Yes it might be stretching it to move the whole organization somewhere else out of IT, but I like the idea when working with clients. Though I have had one make the ISMS manager someone out of Manufacturing since they were already ISO 9001 certified.
Nice! I have been in finance a long time and getting certified in anything is the least of their concerns. I know 27001 well, but getting a financial buy in might take a small miracle. It is an easier sell for manufacturers. Finance, still thinks a SaS70-1 is sufficient in most cases
Let KPMG be their SOX auditor and they’ll be thinking different. KPMG’s people have said “Everything is in scope” because it touches finance. That usually pulls 100% of IT in. If they want to generate billable hours by sucking in everything else, you can be sure that they leave no stone unturned in finance.
With the other 3 firms I can usually sell them on the scope being just the VLAN finance is on, especially if we don’t use AD authentication for access to the ERP systems. Doesn’t always work, but that’s another handy tip I use.
Big 4 guys including kpmg get confused when you use big words. I have passed 404 with almost no controls. I hate Big4 with a passion.
I second your hatred. Overpriced and painfully easy to get round. They hire automatons, pay them pennies and then charge their end clients a fortune.
The whole thing is an epic fail propped up by people who want to be able to say “look we were audited by [insert Big 4], so we must be great.”
How people still buy into this is beyond me.
MARKETING! That has to be it, They should all go the way of Anderson. I remember when i took the cisa, the whole room was packed with big 4 people I know.
Excellent article, again, and you have hit on some topics that I spend half my life ranting about and trying to change.
The phrase “IT security” should be made illegal as it inherently leads to confusion and complication. I have worked for, with and at, countless organisations that have confused their security simply by creating arbitrary names for the sections.
IM(NS)HO security is security. There is no way to isolate each of the parts that go towards keeping a business as secure as possible and any attempt to do is doomed to failure. By allowing ourselves to fragment into physical security, “IT Security”, BC/DR people, Personnel Screeners etc., we are just ensuring there is no joined-up approach across the board.
Security is important. Security is what prevents the business losing money. Done properly, security can also be used to win new business and retain clients. Security is important.
Sadly, over time even security people have fallen into the idea that security should exist as part of some other department. It is true that security could be part of legal, finance, compliance, assurance, HR or even (shudder) IT. But why should it be?
Why should a business subordinate its security needs to the needs of another department? Most companies already realise that the hiring and firing process is important enough to live in its own area but baulk at the idea of business protection being distinct from other functions. It is madness.
(mini-rant over)
One last point – possibly at odds with others here – I also dont thing that “Information Security” is a profession that requires detailed IT knowledge. Yes, if you want to pentest networks and assess system architecture you need to know it, but “information” is a much broader church than the IT department.
I know of some people who are absolutely faultless as protecting a business’ information assets who have never been a SysAdmin and wouldnt even contemplate either the command line or an RJ45 jack. They succeed by understanding the business processes, properly identifying the threats and making world class suggestions on how to mitigate against that.
While I dont want to downplay the skills and experience that IT/Network people have (that is my background), the fact is that these are now fairly commonplace and what sets the Security Professional apart (and justifies the outrageous fees I charge
) is that we dont do the work other people can do.
Thank you once again.. I’m hoping people don’t start thinking your my well written alter ego
Great Rant.
Yes there is a lot of disagreement over my point. I don’t think security professionals must know what an RJ 45 is, how ethernet trunking works, how to use VI, etc.. I do however think they need to know the theory at levels slightly above. Let’s look at mobile as it’s currently one of the topics. If you don’t understand the technology, how can you accurately identify all the potential risks around the use of it in your environment? The folks you know are good at their jobs, because I guarantee you they are geeks like me. We need to figure out how everything works, and that’s what makes us good security guys. You don’t have to know the difference between cat 5 & 6, but you do need do know what type of threats can expose a vulnerability in them? No?
Take for example colo (not cloud). What inherent risks do you have of using a colo for your business? We know what they are, the same way we know what the risks are associated with using shared office space without any technology involved.
?