ORLANDO, Fla. -- To manage risk, maintain razor-sharp security architecture and still enjoy a peaceful night's sleep, security professionals at this week's InfoSec World conference offered this advice: Know your limits, speak the boss's language and embrace change.
It also wouldn't hurt to learn the 80/20 principle -- the theory of 19th-century economist-mathematician Vilfredo Pareto that 20% of what you do makes 80% of the difference.
That advice, offered by Shelley Bard, senior security strategist with Verizon Federal Network Systems (FNS), sat well with at least one conference attendee. "The 80/20 concept is something we fall back on quite a lot," said Charlie Burton, senior technical analyst for the travel distribution services division of Centennial, Colo.-based Cendant Corp.
Bard took the concept a step further. "If you have a limited amount of resources… find out which assets need to be secure above all else, and at least protect those while you form a plan to cover the rest." Do that, she said, and you'll go far in mastering risk management.
An example is ensuring the most vulnerable parts of the network are patched. Bard said last year's SANS Top 20 list
"If you can protect against the top 10 vulnerabilities, whether you have a Windows or Linux environment, you're pretty much covered and can sleep at night," she said.
Anyone drawing up a risk management report should also have a crystal-clear idea of what they are
Another lesson for any aspiring risk manager is to drop the IT jargon when you're talking to a boardroom full of executives. Map out the risks clearly -- in terms of potential cost -- and your chances of success improve.
During a roundtable discussion on security metrics, James Christiansen, CISO for Costa Mesa, Calif.-based information services provider Experian, said, "You build credibility through communications. Turn off your IT head when you're talking to executives. You need to speak their language."
You can also measure success by how well you're able to change behavior over time, he said. A key to success is in knowing how to adjust your own system of metrics as things change. "Last year, how many of you thought phishing would be a problem?" he asked the audience. "How many worried about their company's reputation suffering because someone hacked into their network and stole sensitive information?"
In a dynamic world, Christiansen said, IT professionals must be ready to change based on new threats.
That was also the message of Phil Maier, vice president of the information security engineering/deployment group at Inovant, the San Francisco-based payments processing arm of Visa. Maier lead a session about planning and deploying a strategic security architecture, and change was a constant theme.
"Recognize that what's out there is changing," he said. To prepare for change, he said, you have to aggressively evaluate where technology is headed and which devices could help bolster your company's specific security needs for years to come.
"To be strategic, look at the market and think long term," he said. That means a constant evaluation of everything from PKI [public key infrastructure] to intrusion prevention systems, security appliances and authentication. Whether you go with a certain technology or not in the end, he said, it doesn't hurt to include an array of options in your strategic security plan.
For example, he said PKI can easily be put in your plan. It's still a difficult technology to manage. But, he said, "It's finally maturing. They're finally getting it right."
For Roger Cressey, an NBC counterterrorism analyst and former presidential advisor, preparing for change also means preparing for worst-case scenarios like a massive terrorist attack on the Internet.
"Every enterprise should have its own security council," he said. "Every business must assume an event will happen. Don't approach it like the aviation industry did [before the Sept. 11 terrorist attacks]. They didn't want to spend the time and money on security. The IT industry can't make that mistake."