This article can also be found in the Premium Editorial Download "Information Security magazine: Are you secure? Adam Putnam says, "Prove it!"."
Download it now to read this article plus other related content.
Most of these laws are the result of a collaborative effort. Tip o' the hat to Fred Avolio, Jay Heiser, Pete Lindstrom, Marcus Ranum and Joel Snyder for their input.
- You cannot eliminate risk.
You can mitigate risk. You can insure against it. You can even ignore or accept it. But you can't eliminate it. Same goes for the components of risk: vulnerabilities, threats and impact.
- CEO's mantra: Make more, spend less.
CEOs invest in security for two primary reasons: to comply with regulations; and to protect corporate image, brand, reputation and intellectual property. Your job is to demonstrate how spending a dime on security today saves the company a dollar tomorrow.
- "Good" security: No. "Good enough" security: Yes.
It's often said that security is successful when nothing happens. But that doesn't mean a single breach means failure. You have to accept risk at some level. It's OK to have weak security as long as you and your management understand it's weak and made an informed decision to keep it that way. This may mean that you're willing to accept a "contained" breach under certain circumstances.
- Everyone is accountable for security.
Ask your end users who's responsible for security. If they point to you, you've got a problem, because they'll also point to you when the inevitable breach happens.
- Security isn't sexy and exciting; it's boring and routine.
Enterprise security is less about flashy technology than about human relations, communications and accounting. Fighting fires is exciting. Preventing fires is boring. Which activity more effectively reduces the number and impact of fires?
- There will never be enough budget.
Security managers always complain about lack of funding. In some organizations, this is a legitimate gripe--there's simply no management focus on security, and there never will be. But at most organizations, if you a build a business case for security, you'll get the budget you need (notice I didn't say "want").
- Security is equal parts people, policy, process and product.
Unfortunately, most security practitioners focus mainly on the last "P." In the enterprise of the future, many security technologies--firewall, VPN, AV, IDS, patch and config management--will move entirely into sys ops and the data center. Businesses will covet security professionals who can master "soft" skills.
- After you solve your top security problem, you'll still have a top security problem.
Security isn't a destination. It's a lifecycle: identify, assess, deploy, monitor, detect, respond. Rinse and repeat.
- CISO's dilemma: "Many hats, no hand."
The good news: More organizations are formally appointing CISOs--in some cases, because regulations force them to. The bad news: The increase in CISOs doesn't translate into a more stable security program or more authority in enforcing security policy. At a time when most organizations desperately need strategic security leadership, CISOs are still heavily involved in tactical and operational activities--because there's no one else to do them.
- The number of vulnerabilities is infinite.
There will always be more vulnerabilities to address, because the creation rate of new ones exceeds the discovery rate of old ones.
About the author:
Andrew Briney, CISSP, is editorial director of TechTarget's Security Media Group, which includes Information Security, SearchSecurity.com and the Information Security Decisions conference.
This was first published in May 2004