Into the Breach – Audio Series – Chapter 8 (Measuring Success)

Posted by Michael Santarcangelo on March 2, 2010 · Leave a Comment 

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 8)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
  2. Subscribing to The Security Catalyst podcast & blog to get more insights
  3. Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.  Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

Bookmark and Share

Podcast: Play in new window | Download (10.6MB)

Filed under Blog, Podcast, Security Catalyst Contributors · Tagged with , , , , , , ,

Leading from the Front: Bringing Planned Disruption To The Organization

Posted by Martin Fisher on February 23, 2010 · Leave a Comment 

By Martin Fisher

What is the most important job/function of a leader?

  • Inspire the team?
  • Use resources effectively?
  • Make tough decisions?
  • Set an example?
  • Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

  • Changing the organizational structure? Then create a org chart to talk to and demonstrate.
  • Changing processes?  Then show a picture that details before and after with the benefits.
  • Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , ,

Santarcangelo Interviewed on “The Web Squeeze” – Listen In!

Posted by Michael Santarcangelo on February 22, 2010 · Leave a Comment 

On Friday, The Web Squeeze posted an interview with me. We had a blast discussing backups, passwords, building more secure websites and a bit about the human paradox and Into the Breach.

I’m impressed with The Web Squeeze (http://thewebsqueeze.com/) and hope to get more involved in additional ways.

In the meantime, I really enjoyed the banter (enough to really get me thinking about getting a new show or two going) and the professionalism extended to me by Jacob and Linda.

I hope you consider taking a listen; more – share it with the folks you know in development and see what they say. Use this as a springboard for conversations.

Here is the link: http://www.thewebsqueeze.com/freelance-podcasts/into-the-breach.html

Bookmark and Share

Filed under Blog, News and Events · Tagged with , , , , , , , ,

Giving back: The Catalyst Career Compass Program

Posted by Michael Santarcangelo on February 16, 2010 · 1 Comment 

Giving back: The Catalyst Career Compass Program

What started as a way to help friends improve their careers has started to turn into a full-fledged program called the Catalyst Career Compass™.

Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up.

More, with the help of Andy Willingham, Kevin Riggins and others, we are preparing to relaunch and improve the Security Catalyst Community. When we relauch (hoping for Q2 but the timeline is not defined), new opportunities for members include the career compass program that leads to a mentoring program.

We’re all excited about the program and the possibilities.

In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.

This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.

So it starts now.

And we’ll start small.

For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.

More details below:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

  • To prepare for a raise
  • To receive a promotion
  • For career development
  • If you are ready to move into the security field
  • To find a new position (within your current company or outside it)

Determine your path and venture forth.

Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.

It is a three-step process.

1.            You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.

2.            Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.

3.            With all the background work complete, we will help you follow the compass you built.

We do not judge.

Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.

Why the Compass approach works.

We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.

You will be self-aware.

You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.

The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.

How much time does this take?

Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.

Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.

Bookmark and Share

Filed under Blog, News and Events, Security Catalyst Community, Security Catalyst Contributors · Tagged with , , ,

Is Cloud Computing Right for Your Business?

Posted by craig.nelson on February 5, 2010 · Leave a Comment 

By Craig Nelson – special guest to The Security Catalyst

Is Cloud Computing right for your business?

Is Cloud Computing right for your business?

Cloud Computing.

Is it right for you? Sure.

Is it right for your business? <crickets>

By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.

By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).

Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.

But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?

Three reasons businesses choose the cloud

The business reasons cited for using “the cloud” are likely one or more of the following:

1. Lack of time or expertise (including security) to build and maintain an in-house solution.

2. Seeking the advantage/speed of new features that are released quickly.

3. It’s cheap (either free, or subscription fees).

Beyond simple points, consider the depth and complexity of each.

Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.

With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).

At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.

Can the cloud be more secure?

Many security breaches are due to improper configuration and lax administration and maintenance.

These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).

If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.  The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.  However, it’s a cost that that can be readily accepted.

The Cloud – Personal

At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.

Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).

New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).  A few years ago, I couldn’t imagine that such a service would be widely adopted.  However, now, it seems to be trickling into the “essential software” list of well-respected technologists.

The Cloud – Business

It’s a bit different at the business level.

Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”

IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”

Is the cloud right for business?

So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.

Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:

1 – What regulations is the business subject to? What operational principles and policies does the business have?  Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?

2 – Does the cloud provider offer security controls that allow an adequate level of protection?  If not, can deficiencies be mitigated?

3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).  His expertise and education is in incident response, computer forensics, and security architecture.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , , ,

On tap at The Security Catalyst for February

Posted by Michael Santarcangelo on February 4, 2010 · Leave a Comment 

Greetings from Myrtle Beach!

Extra! Extra!

February at the Security Catalyst Online

We did it.

The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.

More important, we are liberated. I feel grounded, connected and free.

The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.

In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).

On tap for February

Our contributors have some great insights to share, including:

  • The key to effective communication and overall success when working with others from Trish
  • Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
  • Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
  • Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
  • Aaron shares how to avoid legal 500 error with privacy policies

And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.

Guest Voices

Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.

We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).

Engagement is the key to success

I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!

Connecting and engaging in person is a rich experience, indeed.

To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.

Are you along the way?

If so, I’d love to explore how we work together.

Bookmark and Share

Filed under Blog, News and Events, Security Catalyst Contributors · Tagged with , , , , , , , ,

Security From Scratch: Getting the Lay of the Land

Posted by Dennis Kuntz on January 14, 2010 · 1 Comment 

by Dennis Kuntz

“You rush a miracle man, you get rotten miracles.” – Miracle Max, from The Princess Bride

When building Security from Scratch, the challenge is in undertanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. This is not an “assessment” in a formal sense, but is more involved than simply checking for a firewall and antivirus.

Each situation is unique, but here are the areas I consider in my tactical review so I can understand what challenges lie ahead and form my plan of action:

  • Information Security Policy
  • Network/Perimeter Security Posture
  • SDLC Security Policies/Procedures/Practices
  • Applicable Compliance Requirements
  • Security Awareness

I’ll share my approach and thinking below – but want to hear from you, too. Are there other areas you would include, avoid or otherwise consider? Leave a comment or send an email and we’ll expand together.

Information Security Policy

This is an area open to debate, but I like to check for and review the existing security policies. It provides insight into what, if anything, has been done. It generally provides clues, too, to why decisions were made.

I’ve found two major approaches to Information Security Policies:

(a)  a monolithic approach where the policy encompasses all areas with details

(b)  a piecemeal approach where you have a very general document that references more detailed documents.

If I get to choose, I prefer the piecemeal approach. It allows employees to get an overview of the policy and all of the areas covered, without overwhelming them with too much all at once with one huge document they’ll never read.

With the “piecemeal” approach, the details can be spelled out in the referenced documents that are easier to draft, update, and distribute.

Understanding the current approach and structure helps form a picture of the current environment. Here are some questions to ask when considering the existing Information Security Policy:

  • Does a policy exist?
  • Who wrote it, is it strictly boilerplate, and/or has it been reviewed by stakeholders and approved by management?
  • Are the policies being followed?
  • How are changes made/approved?
  • Who currently maintains the policy?

Network/Perimeter Security Posture

Now, while I suggested just checking for firewalls and antivirus aren’t enough, it doesn’t mean they should be skipped. It’s too easy to limit one’s assessment of security posture to just those kinds of elements. With that said though, this is definitely something that should be included.

In addition to getting a good idea of the network architecture (diagrams, etc.), here are some questions to ask regarding the network and perimeter security posture:

  • Is remote access allowed? If so, how – VPN, SSH, nothing?
  • Are firewalls , WAF’s (Web Application Firewalls), and/or IDS/IPS’s employed? Where? Who manages/maintains them and their rule sets?
  • Does your company have/maintain a DMZ?
  • Is wireless access allowed from your premises (including both network access as well as “open” wifi)?
  • Does your company have any resources/assets in “the cloud”?
  • If in “the cloud”, what control does your company have over the security of resources, vs. those that are simply “built in” to the services offered?

This is obviously not a comprehensive list (if you think I missed something key, drop a comment).

The main focus is to get a tactical understanding of the network and potential points of exposure. While tactical, this allows the identification of strengths and weaknesses in the current layout to form the path to advance the posture.

Once the tactical review is done, it is important to run internal and external assessments to test the baseline performance of the existing controls. Ideally, this should include both comprehensive vulnerability assessments as well as comprehensive penetration testing. This can be easily handled in-house if budget is a challenge.

SDLC Security Policies/Procedures/Practices

It should be obvious that companies that conduct business on the “Internet” , develop software, or has any measure of internal development, that SDLC (System Development Lifecycle) practices are important as they relate to security.

However, this also matters to companies with only a web site that was created externally and is hosted/maintained by a third party ASP (Application Service Provider), with no internal development. When getting the lay of the land, take a look at the accepted development practices to make sure they take appropriate security measures into account.

Here are some questions to can ask :

  • Who “owns” the SDLC?
  • Is security specifically addressed in any SDLC documentation, especially regarding applicable best practices (i.e. OWASP Top 10 for web application development, buffer overflows for vulnerable languages, etc.)?
  • Is there any formal secure development training available for developers?
  • If third parties/outsourcing is used for development, are security practices published and/or open for review?
  • What is the current state of security awareness among the developers, architects, etc. (this can be assessed by one-on-one interviews with developers, architects and managers)?

As with the Network/Perimeter Security Posture section, being able run assessments and have penetration testing done will go a long way toward establishing the effectiveness of current controls.

Applicable Compliance Requirements

If the company is subject to any compliance requirements, it is vital to establish the current state of compliance. I will be covering this topic in more detail in a later post, but here are some questions you should ask:

  • Is the company subject to government compliance (SOX, HIPAA, etc.)?
  • Is the company subject to non-governmental compliance, such as PCI-DSS?
  • Does the company need to remediate any recognized compliance violations and/or is there a deadline for any existing compliance efforts?
  • Regarding existing compliance efforts, where/how far in the process is your company?
  • Who or what department oversees any given compliance effort?

As noted in the first installment of this series, establishing relationships with other departments –especially regarding compliance – can go a long way toward achieving your company’s compliance goals.

Security Awareness

While “Security Awareness” can mean different – and specific – things to different people, I’m referring to it here in more general terms. In essence, you need to take a look at your company’s current behavioral and cultural stance and openness toward information security. Here are some questions you should ask:

  • How much support will you have from stakeholders? From management? From everyone else?
  • Related to the previous question, how much latitude will you have in making decisions – will you get to run the show, or will you end up having to be an order-taker?
  • Is your position the culmination of a concerted effort to “become more secure”, or is it the result of a begrudging attitude to achieve a bare minimum? The answer to this one may take some effort to answer honestly….

Turning Your Eyes Toward Defining – and Achieving – Success

Once you have all of this in place – your team and a good idea of where you are – you can begin to understand what is needed to define “success” and the metrics needed to quantify that success.

Bookmark and Share

Filed under Blog · Tagged with , , , , ,

Into the Breach – Audio Series – Chapter 6 (Implementing The Strategy to Protect Information)

Posted by Michael Santarcangelo on January 5, 2010 · Leave a Comment 

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed to bring immediate results. This set the stage for the refinement of what is now called The Catalyst Method™ — what Michael teaches, guides and uses to help organizations get results that transform insiders into allies who reduce business risk.

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains how he has modified the implementation and refined “The Catalyst Method™” to get real, rapid results. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
  2. Subscribing to The Security Catalyst podcast & blog to get more insights
  3. Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk!
Bookmark and Share

Podcast: Play in new window | Download (14.3MB)

Filed under Blog, News and Events, Podcast, Security Catalyst Contributors · Tagged with , , , , ,

Strike Up the Band: Building Security from Scratch

Posted by Dennis Kuntz on December 30, 2009 · Leave a Comment 

concertby Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , ,

Getting Behind the Wheel: Driving Audit and Compliance

Posted by Michael Santarcangelo on December 15, 2009 · Leave a Comment 

“Pass on all hills and curves.”  ~Author Unknown

The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?

In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.

Developing a “Culture of Compliance”

Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished.  Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.

This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.

Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.

Sell the concept, reap the benefits

Management responsibility – wait for it –  “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.

Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?

Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.

Building Support

Step one: find the right internal sponsor.  This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.

Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.

Should IT audit and compliance be managed internally?

This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.

Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this  — and he makes it easy for others to do it, too).

One of the best tangible outcomes of this whole process is detailed documentation. Interesting how  there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.

What’s in it for me?

Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!

Sound off

How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , ,

Next Page »