How infosec can really shine

Don't be a pessimist -- your information security organization can be a real success. I've seen it.

There's so much fear, uncertainty and doubt in the information security world today that many people have become pessimistic about the possibility of keeping all of the bad stuff that's out there out of our systems and networks, or at least detecting it in time to eradicate it before any great harm is done. I'm not one of them. I believe that with the right mix of attitude and aptitude, building a secure enterprise is within anyone's grasp. Will the security be perfect? Of course not. But I think it will be capable of meeting the challenges faced in today's threat environment.

Not that I want to sound cocky. In fact, I always find it a good idea to refer to one of my favorite quotes: "There ain't a horse that can't be rode, and there ain't a man that can't be throwed." Nonetheless, I am confident that truly effective information security programs can exist. In fact, I've seen some of them. Not a lot of them, it's true, but their very existence suggests that more organizations can join them. I've reviewed hundreds of information security organizations over the years. The vast majority were mediocre at best, but every once in a while, one comes along that restores my faith in the art of the possible. I encountered one recently, in fact. Let me tell you about it and certain attributes that make it stand out.

" A positive attitude. A "let's get this done" attitude permeates this enterprise's information security organization, from the most senior executives on down through the ranks. That kind of consistency of mind-set doesn't happen by accident. It takes a culture that supports and encourages it. Not nearly enough organizations have such a culture, and that is a shame, because a positive, can-do attitude may be the single most important element of a successful infosec program.

" Rigorous procedures. It is the practice in this organization to examine all data moving through its primary Internet ingress and egress points (including SSL-encrypted traffic). It does full-packet capture across the enterprise networks. It has solid endpoint security practices. It reverse engineers all new malware as it's found. It does much more, but the point is that the organization's security practices are both broad (social media monitoring, for example) and deep (such as malware analysis).

" Wide-ranging threat intelligence gathering. Having accurate and actionable threat intelligence is vital today. This organization has established relationships with a wide range of threat intelligence sources to help it remain abreast of new vulnerabilities, exploits, malware, etc. Its sources include product vendors, information-sharing organizations and operational security groups in its industry sector.

" The ability to make the most of its resources. It's a positive sign for all organizations that this particular infosec program is no different, in that it has to fight for its budget and resources. What sets it apart is that it gets the most out of those resources. It does this by turning to vendor support for niche expertise such as malware reverse engineering; relying on government organizations for specialized support when needed, since it is in a highly regulated, critical-infrastructure industry; and pulling in representatives from many departments for things like the incident response program -- executive decision-makers, the IT security team, personnel from the security operations center, the general counsel, representatives from corporate communications and human resources, and others.

" Constant practice and training. In major security incidents, the problem doesn't go away by simply applying a couple of technical controls. They require active and competent collaboration among many key stakeholders across an enterprise. It's easy enough to write a process document that describes how these interactions should take place, but there's no substitute for running those plans through their paces from time to time. A multidisciplinary tabletop drill can quickly spotlight process failures and demonstrate for the entire team the vital need to properly coordinate security emergencies when they arise.

" Continuous improvement. In my review of this organization, I noted several areas that could stand to be improved -- as I do for every organization I review. As I said, no program is perfect. The thing is that a lot of organizations basically ignore my feedback, though they've paid good money to receive it. Not this organization, though. My advice was well received, and I have it on good authority that it is being implemented as part of the group's continuous improvement process.

There were other things that made this organization stand apart, but these are particularly significant -- and none is more vital than the first. The others won't happen if you don't start with a positive attitude.

Join the CSO newsletter!

Error: Please check your email address.

Tags information securitysecurityNone

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place