"Oh, hello, Mr. McCumber. I just wanted to come by to make sure these bricks were here and they were the proper paving bricks we need," he said, acting as if he hadn't heard my question. "I don't have time to work on your walkway today, but I wanted to stop by and let you know we were getting ready to start this project."
"You said you were going to be here Thursday morning. I left you a voicemail Thursday evening, " I countered.
"Oh, Thursday was a bad day for me," he mused, rolling his eyes to the blue Carolina sky. "My trailer got a flat on Route 64. Can you believe that? It was a real mess. Have you ever had a flat on Route 64?" he asked.
"Well, since you are not in work clothes," I said, "perhaps we can simply do some business instead."
"Sure," he replied, "What do you want to talk about?"
"I would like to discuss when I can expect my deposit back," I replied. "I need someone with a plan and a commitment for this job, not someone with a story."
I think back on this incident many times when reviewing security programs. Too often, I run across an information security program that's a story and not a plan. Unfortunately, it seems too many security practitioners are tempted by Mr. Parsons' methodology, which is really not a methodology at all. Mr. Parsons' management style is more a string of colorful fairy tales that inadequately obscure his inability to schedule his time effectively.
A sound plan is vital to an information systems security program. An effective and well- managed security plan then becomes an ongoing process that continually adapts to deal with known vulnerabilities and emerging threats. Fortunately for us, the nature of the process is relatively straightforward, and the data needed to build a plan is available with a little bit of research.
Providing protection for information assets requires you to have an in-depth understanding of the risk assessment process. You need to categorize the known threats and stay abreast of the evolution of both human and environmental threats to your information. An effective way to make sure you are absolutely current is to subscribe to a threat and vulnerability alerting service from vendors who track them for a living.
Additionally, you need to document all the vulnerabilities in your information technology environment. Technical vulnerabilities are tied directly to the types of systems, protocols, and software your organization uses. Along with the data available from security vendors, you can check publicly researchable data such as Mitre's Common Vulnerabilities and Exposures library at cve.mitre.org.
The risk assessment process also mandates a comprehensive review of your organization's digital assets. Their imputed value is what will determine what type and how much security protection is necessary. If you cannot show exactly where your sensitive information is transmitted, stored, and processed, you are going to have to rely on stories and anecdotes, and that is just not adequate.
Finally, you need to have a detailed understanding of how the security safeguards you employ mitigate your corporate risks. By analyzing the threats, vulnerabilities, and safeguards, you will develop a good snapshot of your existing risk posture. But to be truly effective, you have to use this information to develop a plan for continually managing and updating the security process. This plan then becomes the basis for your role as custodian and protector of the organization's vital information assets. When the decision makers call upon you to explain your job, you don't have to rely on your storytelling skills. You have a plan.
John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at firstname.lastname@example.org.