A dozen infosec strategies (amended x2)
This Sunday morning, further to my tips on planning for 2020, prompted by "5 disruptive trends transforming cybersecurity" and fueled by some fine Columbian (coffee not coke!), I've been contemplating information risk and security strategies. Here's a dozen generic strategic approaches to consider:
- Use risk to drive security. Instead of vainly hoping to address every risk, hammer the biggest ones, tap at the middling ones and let the little'uns fend for themselves (relying on general purpose controls such as incident and business continuity management, resilience etc.). 'Hammer the biggest' means going the extra mile for 'key' or 'critical' controls addressing 'key' or 'major' or 'bet the farm' risks, and implies substantial effort to identify, understand and evaluate the risks, as well as actually dealing with them.
- Make security processes as slick as possible, using automation, simplicity, repeatability etc. DevSecOps is an example of automating security to keep up/catch up with speeding cyclists. SecDevOps could be security attempting to lead the pack (good luck with that!).
- Develop security architectures - comprehensive, coherent, all-encompassing approaches, with solid foundations and building blocks that slot into place as the blueprint comes to life. Requires long-term planning and coordination with other architectures and strategies for business, information, IT, risk, compliance, governance etc.
- Be business-driven. Let management govern, direct and control things, including cybersecurity, information security, risk and security, or whatever, to enable and deliver business objectives. Encourage and enable management to manage change both reactively and proactively. This strategy requires that management has a decent understanding of the risks and opportunities relating to information security, or at least is well-advised in that area (i.e. manage your managers!).
- Make do but improve systematically, in other words take a cold hard look at where you are now, identify the most urgent or serious issues and improvement opportunities, address them. Lather rinse repeat. This may be the only viable approach if management is not interested in being proactive in this area (which might be one of those issues worth tackling!).
- Use metrics - specifically, business- and risk-driven metrics - to identify and respond to pain points, trends, imbalances etc., ideally before they become issues. Requires a decent suite of relevant, trustworthy metrics, which implies clarity around the measurement objectives and methods. Also requires enough time to accumulate the data for trends analysis, and sound analysis (e.g. appropriate use of statistics). And beware surrogation.
- Employ 'good practices', such as ISO27k, NIST SP800, COBIT, CSA, OWASP and so on ... hinting at the practical issue of deciding which one/s to follow, and to what extent. Standards are often retrospective, out of date by the time they are published but they generally provide a sound basis, and if used sensibly can be a useful shortcut to get basic frameworks (at least) in place. Not so useful, though, if compliance drives the organization rather than the business - another example of surrogation.
- Collaborate. Find and work with internal and external resources to get stuff done (implies shared goals). Maybe cloud-first or cloud-only makes perfect sense after all, for your organization - a current-day version of the old 'best of breed', 'best in class' or 'buy blue' mantras - so be sure information risk and security considerations are an integral part of the cloud adoption process. Exploit cloud security services: push security into the cloud.
- Focus and simplify. Stop expanding willy-nilly into the cloud without proper planning and preparation, including risk management. Develop an actual strategy, a clear map of the destination/s and routes. Prioritize resources. Find and employ the best people, methods, systems, standards, tools etc. for the most important jobs. Assemble high-performance teams, give them clear goals, motivate them and give them the space to do their thing (possibly within defined boundaries, possibly not).
- Fail small and often. Don't just anticipate failure, expect it, relish it even. Recover. Learn. Improve. Try harder. Be experimental. Take (appropriate) risks. Invest unwisely. Default to "yes" rather than "no", ask "why not?" instead of "why?". Practice hard to become excellent at identifying and reacting to risks and opportunities of all kinds. Set things up to spot, flag and react to failures effectively and efficiently. Better still, learn from others' failures: gain without pain.
- Figure out and do whatever's best for your organization - perhaps some variant version, a simplification, elaboration or combination of the above or other things unique to your organization, its situation, resources, constraints and objectives. Innovate. Think much further into the future. Imagine! Master the topic. Come up with more creative/unconventional strategies, and evaluate them. Write better lists than this one. Share your thoughts through the comments below, and of course with your work colleagues.
- Accept defeat. Follow lamely rather than lead, or get by without a strategy. Pass the buck, exploit scapegoats. Let other suckers path-find. Scrabble desperately to implement the current so-called strategy. Hold the fort. Duck the issues. Keep your head down until your watch is over. Preserve the status quo. Do the least amount possible. Summon and wait for reinforcements. Retire or find another career. Use what little remains of your motivation and self-esteem to apply for jobs at more enlightened organizations. Up-skill. Retrain. Read more than just blogs. Think on. Good luck.
There you go, food for thought I hope as we plummet towards the new year.
PS Yet another possibility: implement every control recommended by standards and advisories of your choice - essentially information security control catalogs. I can hardly believe it, but I gather some organizations are doing exactly this, for instance, implementing all the controls in Annex A of ISO/IEC 27001. It's much the same as healthy people taking multivitamin pills on the basis that "they won't hurt and might just help" ... misguided at best, wrong-headed and dangerous at worst. Every additional control increases the organization's costs, so it is not good business to attempt to do 'everything' unless 'everything' has benefits that at least offset the costs. Figuring out those costs and benefits is arguably more important than the controls themselves, for both high and low (or negative!) value controls, and comes with a nice bonus: by understanding your information risks, you might just identify the need for additional or variant controls that are not in the control catalogs you are using.
PS Yet another possibility: implement every control recommended by standards and advisories of your choice - essentially information security control catalogs. I can hardly believe it, but I gather some organizations are doing exactly this, for instance, implementing all the controls in Annex A of ISO/IEC 27001. It's much the same as healthy people taking multivitamin pills on the basis that "they won't hurt and might just help" ... misguided at best, wrong-headed and dangerous at worst. Every additional control increases the organization's costs, so it is not good business to attempt to do 'everything' unless 'everything' has benefits that at least offset the costs. Figuring out those costs and benefits is arguably more important than the controls themselves, for both high and low (or negative!) value controls, and comes with a nice bonus: by understanding your information risks, you might just identify the need for additional or variant controls that are not in the control catalogs you are using.