Where Do We Start? | Inside the Security Mind: Making the Tough Decisions

Because information security, in its current state, tends to attract its share of negativity and dramatic rumors, our first goal before beginning this journey is to clear our minds of the programming we have received thus far and start with a clean slate. Approaching security with a bad attitude makes it far more difficult to accomplish our goals. So, let's quickly mention a fact that people rarely discuss:

Security can be accomplished in any environment. It can be accomplished without monopolizing our time and resources, and without emptying our wallets. It can be accomplished without years of training and without having to know every vulnerability, threat, and countermeasure in existence. When addressed in the correct manner, security simply becomes an extension of our normal operations, and the best protective measures require the least amount of ongoing effort.

Sound too good to be true? Practicing information security is just like practicing anything else in this world; there are good ways and bad ways of going about it. This book is designed to direct the reader to one of the good ways for practicing security. I say "one of the good ways" because there are indeed many different ways to think about and address security, and many of them are very good. This book simply chooses one of the most effective methods that is applicable to the widest variety of organizations.

Erasing the Programming Around Us

Good security practices mean nothing, of course, if no one hears, understands, or follows them. When starting, one of the most important components of mobilizing an entire organization to follow good information security practices is to vaporize the negative programming about security. From cover to cover, one of our goals in becoming secure is to convince ourselves and those around us that information security does not have to be a great burden. End-users and upper management are extremely prone to negative ideas about security since they are exposed to them day in and day out. How many companies have spent millions on security measures, only to inhibit their daily business practices? How many departments have had to switch to complex and obscure operational practices when security was introduced to the environment? This is somewhere in the minds of most individuals when they hear the word "security." The term "security" is often wrongly considered synonymous with the term "burden."

If a security practice is a great burden, then something is wrong. Security is not effective if it overburdens the end-users or overtaxes the organization's resources. Information security is far too entwined with the human and business aspects of an organization to simply focus on the technologies and policies and not their effects on everything else. Most people know this. But what most don't realize is that security, when applied properly, does not have to impair operations or business.

Knowing Ourselves

Later in this book, I will discuss some techniques for seeing ourselves through the eyes of a hacker. In the beginning, however, we really need to focus on knowing our organizations through the eyes of the owners, customers, and investors. Proper security always reflects the environment it is applied to, its assets, goals, and capabilities. Security cannot be accomplished without first having an understanding of who we are and what we do. We do not need a degree in business analysis, but we do need to be tuned into the company's motives and operations, more so than one may think an IT employee would.

Knowing ourselves at this level does not mean we need to search the entire complex and figure out what every switch and knob does. Our goal is far less formal and more effective. We simply need to talk to people. Here are some suggestions for anyone wanting to practice information security within their organization or within their client's organization.

I am often amazed at how many companies hire consultants to come in and "implement security," without ever going through a process to convey what it is that the organization does. This is not necessarily the fault of the organization, or even the consulting companies who have had to cater to this type of expectation over the years. Performing a business impact analysis or developing a risk model for an organization can often sound like a hustle or an attempt to bleed more money out of the client. It is very difficult to explain the need for such measures when ulterior motives are always in question. Here I will say, without a single hidden agenda, "You can't secure what you don't know about!" If an organization chooses to bring in security consulting services for any major security project, time must be spent coming to a mutual understanding of the organization. If an organization chooses to solve all its security issues using internal staff, the leaders of that staff should have a clear understanding of how the organization functions, its drivers, and its goals.

Some Important Information to Know

This is a short list, but it should cover the main information we need to get started:

What is the main product, focus, or drive for the organization? This will probably have multiple answers, in which case, it is a good idea to get a sense of the priorities within each answer.
What are the main sources of revenue for the organization?
What are the different departments and their main functions? How do they operate and fit together in the bigger picture?
What information assets are seen as the most critical to each department, and what technologies does the organization rely on?
Who are the customers, partners, and major vendors for the organization and how do they interact?

Where to Get This Information

The information listed above can be discovered in several different ways. This is where we put on our detective hats; only we don't need to go diving into any dumpsters for information, since there are many readily available sources for answering our questions. Remember as we go forward that the more human interaction we have, the better. Security is always an interactive process, and it is essential that we make contact with as many people in as many roles as possible. The more people we are on good terms with, the more allies we will have when fighting the security battle. Here are some good sources to find key information about your organization.

Read press about the organization. The media has a knack for focusing on areas that are important to an organization. You can learn a lot by reading how others perceive the organization and in what they are most interested. If the organization is public, check out press about its stock, earnings, and management goals.
Talk to the local IT staff. Learn about the different types of systems, and how they operate, as well as where the largest percentage of resources are allocated.
Hold conversations with different department managers. Ask about their operations, what they do, their priorities, and what they see as the most important function of their environment. (Be sure they know you are further expanding your knowledge, and are not doing an audit or assessment of their positions.)
When you have enough information and a good sense of the business, talk to the highest level executive available who is comfortable with answering your questions and has the time. In my experience, most executives are quite enthusiastic about people taking such an interest, as long as you do your studying beforehand. It is usually best to keep the conversation informal, but to have some predefined questions ready for the discussion.

Knowing We Are Ready

Take another deep breath. Having cleared our minds of negative programming and learned a little about the environment, we are now ready to move forward. The basic understanding derived from these previous few pages has already put us way ahead of the majority of information security practices going on in the world. By coming to a clearer understanding of the environment and removing some of the misnomers that negatively affect progress, we will easily overcome many of the obstacles that trip up other security practitioners. Now, let's dig a little deeper.