Published: 01 Dec 2003
I hear lots of security stories -- about massive security architecture projects, attempts to implement role-based access control, techniques for fighting viruses and spam, and so on. When you listen to as many stories as I do, the "best" often bubble to the top. In the spirit of this special issue of Information Security, here are my thoughts about what defines the best People, Policies, Processes and Products in infosecurity.
The best People are those who embrace the challenge of securing the business. Most security managers are having a tough time getting their arms around this whole "business view of security" thing. As security professionals, we're genetically programmed to anticipate bad things that might happen, and then work tirelessly to mitigate the risk. But now, business units and executives are leaning on security managers to justify their actions and budget requests from a business perspective. That's new territory for most security professionals.
Ultimately, cracking this nut will fix the most serious problems facing the entire security industry. As more security projects actually help make the company successful, our profession will build a reputation as a business enabler.
The best Policies are easy to follow, well understood, refreshed often, and enforced. I often hear complaints such as, "Nobody pays attention to our policies"; "They have no teeth"; and "Our employees forget the policies right after they read them." What's the problem here? The key to effective policy is simplicity. Using detailed, technical language or long, tedious explanations is a surefire way to fail. The best security policies are written in everyday language, have simple, to-the-point instructions, and are no more than three pages long. If we can't promote proper behavior in a couple of pages, we probably can't do it at all.
The best Processes are efficient and effective at the same time. It's one thing to have documented processes -- three-ring binders detailing every step. It's quite another to organize all security activities so they drive toward a common goal: the fulfillment of the company's mission statement. After all, isn't helping the business succeed why we do security in the first place?
Achieving efficiency means finishing projects in less time, for less money and with less effort. We commonly call this process "security architecture," but it's also an attitude. Our job isn't securing the network; again, it's our job to secure the business.
The best Products are those that we can't remember paying for. That's because we've gotten so much value from them that they've paid for themselves. The best product is the technology or service that helps us manage compliance with business and architecture goals, regulations, industry standards, and privacy and security policies. Sure, authentication (passwords, smart cards, biometrics), authorization (encryption, antispam, firewalls) and administration (Web single sign-on, identity management) are the fundamental building blocks of a security program. But if we assume bad things will happen no matter how diligent we are -- and we should -- audit, monitoring, recovery systems and compliance management become our most effective weapons.
The best People, Policies, Processes and Products produce the greatest benefits without excessive cost. They make the company successful -- building airplanes, selling insurance policies or performing medical miracles. "The Best" really make a difference, and without that someone or something, the company will suffer.
In infosecurity, obscurity and confusion characterize every sales pitch to every prospective customer. By striving to be the best in this industry, we'll revitalize sales, protect our company and articulate the value of what we do.
About the author:
Steve Hunt, PP, CISSP, is VP and research director of security at Forrester Research.