I have been battling a cold this week, and normally I wouldn't mind being slightly under the weather, but I am leaving for Las Vegas tomorrow to attend CES (Consumer Electronics Show) and flying with a head cold is PAINFUL!
So...I went to bed early last night after doubling up on multi-vitamins and drinking about half a carton of orange juice.
My daily routine is pretty standard: wake up (some days, reluctantly), take puppy out, make coffee, boot up my computers, drink coffee, and catch up on emails/overnight tweets/LinkedIn messages.
While perusing the overnight tweets, one from Andy Ellis - Director of Information Security @ Akamai Technologies - caught my eye (if you are not already following @csoandy, I highly recommend it...he's VERY informative):
"csoandy - RT @amrittsering Top 10 Reasons Your Security Program Sucks http://tinyurl.com/yao44c3 <- if you aren't laughing, you're not in this biz."
Like everyone in this industry should, I learn about 5 new things every day, and an hour into my day, today is no exception! I felt compelled to "re-tweet" this post by @csoandy / @amrittsering in order to keep paying-it-forward, twitter-style.
Minutes later, my friend @Delchi sent this reply to my "re-tweet," stating:
"Delchi - @mock7 top 3 reasons my sec-program sucks : execs,vendors,users"
Of course, for obvious reasons, the second offender caught my eye, but I do not take this personally since vendors have been known to screw over clients since before I was born. I hope to change this outlook one client at a time...but that is not what this blog is about, so I will digress.
This blog IS about a discussion I had with an experienced and distinguished engineer, and how I learned something new today that I will certainly take with me throughout the rest of my career in Information Security.
Please excuse the copy and paste, but the story tells itself here:
My response to Delchi's top 3: "how about the gap between assessment and mitigation? Seems to me like this should at least make top 5."
(another side note: I have to give credit to my friend Alex K. for helping me to think about this aspect of Information Security. It is intrinsic to my job to pitch the importance vulnerability assessments, but if we do not help our clients reconcile their security gaps, then we are really just another vendor who scans, reports, bills for time, and heads to the bar. I refuse to be this kind of security consultant.)
Delchi quickly replied to my inquiry: "Execs block mitigation regardless of how much assessment. Users bypass mitigation, leaving no time for assessment when you are putting out fires."
We bantered back and forth for a few minutes, and I think Delchi was feeling inspired, because he wrote an impromptu "Top 10 Reasons Why Your Security Program Sucks." I enjoyed Delchi's fresh outlook on the topic, so I decided to write this blog. Without further adieu:
10. No executive support
9. Users refuse to comply
8. Spaf's 1st Law: "If you have responsibility for security but have no authority to set rules or punish violators...your own role in the organization is to take the blame when something big goes wrong."
7. Vendors being vendors - Not following spec, "cheaping" out, not knowing their gear/product(s)
6. Not purchasing support contracts for essential gear
5. Poor design - to include future-proofing and learning from mistakes of the past
4. [Terrible] documentation
3. No support from HR
2. Employees who have no experience in leadership roles - generally unable to make decisions because they are culturally subservient
1. Accepting the job in the first place.
Delchi is obviously not known for sugar-coating, but once you get over the harshness of his Top 10 list, it is really apparent just how correct he is. The only one I slightly disagree with is #1, since it seems a little jaded...but I also have not been in this industry as long as he has. Maybe in 20 more years I will have a better understanding of #1...or maybe changing that one will be my great accomplishment in the Information Security world.
Wednesday, January 6, 2010
Subscribe to:
Posts (Atom)