Itâs very easy to get discouraged in the information security business. Every piece of software, every software as a service we use is potentially vulnerable to security threats: some known, many likely not known. When these threats are exploitedâitâs no longer a question of ifâdata and reputation loss are likely results. Even if youâre secured the central repositories of this data, the client devices that access that data, perhaps even storing that data, have their own vulnerabilities and threats. When you sprinkle in configuration errors that are all too prevalent and permit more access to resources than absolutely required, itâs easy to come to the conclusion that the game is over, the jig is up, weâre compromised, and weâre done.
The worst of all this is: you most likely donât even know what resources you have. Even when you know, you probably donât have a lot of say into who can access what resource how. When you try to bring this to the attention of the executives to get more resources to address the issues, the executives donât see the value.
Over the last couple of years, Iâve been working with Check Point customers to understand their specific situations and come up with a long-term game plan. As part of that process, I try to find out whatâs truly important at the business level. This means not talking to the technical people, but to the business leaders. This helps provide some clarity on what of the thousands of potential security issues out there needs the greatest focus.
Itâs also important to enumerate whatâs in the environment, starting with the critical assets. Where are they? Who accesses them? What security controls are in place to ensure only authorized persons can access those resources in a non-malicious way? A logical network diagram showing where everything is and understanding the various traffic flows is very helpful in figuring this out.
The presence of controls in the environment is one thing. Are they configured to per the principle of least privilege? Are those controls logging? Are you actually reading those logs and/or using a properly Security Information and Event Management product to help contextualize whatâs happening? Are you acting on the information these tools are giving you? If a serious breach does occur, do you have a plan in place?
Iâm sure there are a lot more questions I could ask (and sometimes do, depending on the customer). However, there is only so much information I can gather over the course of two or three days. I then take this information and write a report with recommendations. These reports can be somewhat long, depending on the customer.
What Iâve also started doing, which I believe is more valuable, is summarizing all the relevant information in a spreadsheet. Itâs designed to be executive friendly, showing the issues, relative risks (with color codes), recommendations, cost to improve, and so on. Itâs by no means perfect, but the goal is to bring a bit of order to the chaosâshowing a potential plan to move forward and a framework you can use to re-evaluate the situation in the future.
The question I ask of my fellow information security professionals: how are you helping your organization bring order to the chaos of Information Security? Are you just reacting to events as they occurâsomething that is unavoidableâor do you have a long-term strategy in place that you are actively implementing?