Information security management hype: Debunking best practices

The security industry is no stranger to hype. This is especially true concerning "best practices." The term seems self-contradictory: Best practices are defined by talking to lots of organizations to see what they're doing and -- if enough people are doing it -- then it's called a best practice. But if everyone is doing it, then isn't it just an average practice?

In reality, best practices are what every company should be doing but almost none actually are. On the off chance that a company is one of the few actually applying a best practice, they are almost always applying it at a fraction of the level they claim they are. The issue here isn't maliciousness or even incompetence, but purely and simply a matter of business realities. In other words: Implementing security best practices isn't seen as being worth the money for the return the company is going to get.

Case in point: Best practices (and various compliance regulations) say that employees should change t...

BROWSE BY TAG Risk Management Strategies,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Security Industry Market Trends, Predictions and Forecasts,   VIEW ALL TAGS

RELATED CONTENT Risk Management Strategies Cloud computing in 2010: Be ready for risk management challenges How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

heir passwords every 30-90 days and companies should enforce strong password rules -- that each password should include capital and lowercase letters, numbers, symbols/special characters and be a minimum of 8 characters in length. Due to the aforementioned regulations, this is a best practice that more and more companies have implemented. Yet relatively few organizations are fully in-line with this best practice. It may be easy to implement with an LDAP or Active Directory architecture, but doing the same with UNIX boxes authenticating off of NIS requires third-party software. Many mainframe environments have similar issues as well.

Alternately, let's look at end-to-end encryption. This is a great idea, in principle. If all data is encrypted as it flows across the network, then it's much harder to steal. However, encryption isn't a panacea. Someone can always attack the applications or storage devices to get to the data, so it is important to look at those vectors as well. Even so, if end-to-end encryption is such a great idea, why are so few companies doing it? Why is it that, even if the domain is limited to Web-based applications housing an organization's most critical data, there are still a limited set of organizations that are following this best practice?

This comes down to the business reality that the cost of implementing end-to-end encryption is disproportionately high relative to the perceived value that data encryption provides to an organization. It turns out that while it is relatively inexpensive to implement SSL /TLS from a Web browser to the Web server or load balancer, as encryption extends further into the application stack, each level (application server, authentication server, database) adds a new level of complexity and cost.

This is especially true for the connection between the application servers and the database. Combine this with the loss of passive audit visibility due to encryption and it suddenly becomes hard to justify the total hard and soft costs of implementing end-to-end encryption. As a result, the technology is probably only implemented in extremely security-conscious companies or those who have been badly burned, like Heartland Payment Systems Inc. -- companies who know the monetary value of such encryption in preventing a data loss.

Best practices are often good ideas; it's just that they are often orthogonal to the business realities surrounding them. As a result, no matter how loudly we as infosec pros scream from the rooftops that these security measures are necessary, they just aren't going to happen until the best practices and the business practices come into greater alignment.

As regulations have come about mandating security controls, it has become a lot easier to implement certain technologies to achieve this alignment. I guarantee that if the next version of the Payment Card Industry Data Security Standard (PCI DSS) were to mandate end-to-end encryption, suddenly there would be several thousand companies trying to implement it and there would also be a lot more investment by product companies developing products to help meet this need. On the other side of the coin it is imperative for information security pros to realize that not every industry best practice is the right choice (or even a realistic one) for many enterprises. Next time you see someone offering up a list of best practices, be sure to take it with a grain of salt and a dose of pragmatism.

About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.