From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
AA – This decision is like telling a soldier to go into the armoury and pick one weapon before going into an unknown battlefield. Each weapon yields advantages and disadvantages. A rocket launcher effective at neutralising targets from distance is a poor choice for close quarters combat. But in order to play ball, for that one, single, value added control in your organisation, you need to deploy something which is authoritative and unambiguous but can also be used as your tool for identifying a scapegoat when stuff hits the fan. Only a Policy can achieve all of this. Make sure it is really long and covers every scenario so no one will ever read it to question you before you have the opportunity to scapegoat them. Get them to sign a piece of paper saying they read it and understand it – that is the greatest control you have (to cover your own back)
JM – I agree with you slightly and up to a point Andy. I like the soldier analogy, extending it further, the question would become – what war are you fighting? Who are your adversaries? Why are you even fighting? I’ll paraphrase Jurrasic Park and say, sometimes people are so preoccupied with whether they ‘can’ implement a control, they don’t stop to ask if they ‘should’.
People need to spend time understanding what the business does. Figure out which assets are really worth protecting. Sure, bullet proof glass is a great thing, but does it need to be standard in all cars? Any security control that is implemented needs to support the business, if it doesn’t then you have to questions why it’s being implemented in the first place. It’ll end up like the time Thom wore a wig or Andy tried growing facial hair… it’s like “WHY?
TL – Are you guys kidding me? Soldiers, dinosaurs and really, really long policies? What is this… My First Security Programme or something? The best security control is the most informal one, and that is “tone at the top” or support and action from your leadership. For you Andy, this is General Melchett, the man at the top of the organisation making sure everybody in the organisation does their duty as regards security. For you Javvad, this is the T-Rex, pouncing on anything that moves out of line, and devouring it whole as an example to anyone else.
Lucky for you Andy too that like many things in your life, when it comes to policies size really doesn’t matter. Overcompensating with an overly large policy will only turn people off from your cause. Sound familiar?
JM – Way to talk yourself out of a job Thom. So let me get this straight, you’re suggesting that if your exec at the top of the organisation has the correct ‘tone’ that will auto-magically solve all your security problems? Do you have an exec or a guitar that needs tuning? Well, you come across as tone deaf, but don’t let your boss know, because all he has to do is adopt the ‘tone’ and you’ll be out on the street holding up an empty Starbucks cup with a cardboard signs that says “will audit for change.”
If there was one thing I’d suggest primarily investing in, it wouldn’t be a really long policy and it wouldn’t be an autotune app for the CEO. It would be to implement monitoring controls. Good monitoring will allow you to build up a nice picture of what the organisation looks like and how information moves around. By presenting these observations to the business, you can collectively not only change the ‘tone’ as you so eloquently put it Thom, but you can use it as the basis to write good policy Andy.
Knowing what is happening is key – that knowledge can be used to make informed risk-based decisions. For example, if you see that majority of staff copy data onto USB sticks, maybe that will affect the tone to enforce a policy of no unauthorised external media which in turn will lead to your budget being approved to implement a DLP product. Not only do you end up with a policy over time, but you change the tone effectively and to top it off you remain gainfully employed.
AA – Let me clarify this. You’re saying that when you do this “right”, if things go wrong, the exec at the top will be in an informed position, take full responsibility and not look for a scapegoat? About those dinosaurs you were talking about…
TL <sigh> read the question at the top chaps… it asked for one control. Only using one control will always end in failure, but yours are purely tactical in nature. Strategy first, then tactics, not the other way around. I bet you never read the entire question in your school exams either, which probably weren’t that long ago anyway.
Andrew Agnes, Thom Langford & Javvad Malik, Host Unknown, @HostUnknownTV
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.