From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
AA – This decision is like telling a soldier to go into the armoury and pick one weapon before going into an unknown battlefield. Â Each weapon yields advantages and disadvantages. Â A rocket launcher effective at neutralising targets from distance is a poor choice for close quarters combat. Â But in order to play ball, for that one, single, value added control in your organisation, you need to deploy something which is authoritative and unambiguous but can also be used as your tool for identifying a scapegoat when stuff hits the fan. Â Only a Policy can achieve all of this. Â Make sure it is really long and covers every scenario so no one will ever read it to question you before you have the opportunity to scapegoat them. Â Get them to sign a piece of paper saying they read it and understand it – that is the greatest control you have (to cover your own back)
JM – I agree with you slightly and up to a point Andy. I like the soldier analogy, extending it further, the question would become – what war are you fighting? Who are your adversaries? Why are you even fighting? Iâll paraphrase Jurrasic Park and say, sometimes people are so preoccupied with whether they âcanâ implement a control, they donât stop to ask if they âshouldâ.
People need to spend time understanding what the business does. Figure out which assets are really worth protecting. Sure, bullet proof glass is a great thing, but does it need to be standard in all cars? Any security control that is implemented needs to support the business, if it doesnât then you have to questions why itâs being implemented in the first place. Itâll end up like the time Thom wore a wig or Andy tried growing facial hair⊠itâs like âWHY?
TL – Are you guys kidding me? Soldiers, dinosaurs and really, really long policies? What is this… My First Security Programme or something? The best security control is the most informal one, and that is “tone at the top” or support and action from your leadership. For you Andy, this is General Melchett, the man at the top of the organisation making sure everybody in the organisation does their duty as regards security. For you Javvad, this is the T-Rex, pouncing on anything that moves out of line, and devouring it whole as an example to anyone else.
Lucky for you Andy too that like many things in your life, when it comes to policies size really doesn’t matter. Overcompensating with an overly large policy will only turn people off from your cause. Sound familiar?
JM – Way to talk yourself out of a job Thom. So let me get this straight, youâre suggesting that if your exec at the top of the organisation has the correct âtoneâ that will auto-magically solve all your security problems? Do you have an exec or a guitar that needs tuning? Well, you come across as tone deaf, but donât let your boss know, because all he has to do is adopt the âtoneâ and youâll be out on the street holding up an empty Starbucks cup with a cardboard signs that says âwill audit for change.â
If there was one thing Iâd suggest primarily investing in, it wouldnât be a really long policy and it wouldnât be an autotune app for the CEO. It would be to implement monitoring controls. Good monitoring will allow you to build up a nice picture of what the organisation looks like and how information moves around. By presenting these observations to the business, you can collectively not only change the âtoneâ as you so eloquently put it Thom, but you can use it as the basis to write good policy Andy.
Knowing what is happening is key – that knowledge can be used to make informed risk-based decisions. For example, if you see that majority of staff copy data onto USB sticks, maybe that will affect the tone to enforce a policy of no unauthorised external media which in turn will lead to your budget being approved to implement a DLP product. Not only do you end up with a policy over time, but you change the tone effectively and to top it off you remain gainfully employed.
AA – Let me clarify this.  Youâre saying that when you do this ârightâ, if things go wrong, the exec at the top will be in an informed position, take full responsibility and not look for a scapegoat?  About those dinosaurs you were talking aboutâŠ
TL <sigh> read the question at the top chaps⊠it asked for one control. Only using one control will always end in failure, but yours are purely tactical in nature. Strategy first, then tactics, not the other way around. I bet you never read the entire question in your school exams either, which probably werenât that long ago anyway.
Andrew Agnes, Thom Langford & Javvad Malik, Host Unknown, @HostUnknownTV
To find out more about our panel members visit the biographies page.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
