What's Your Story?

It was already after nine on a beautiful Monday morning. I stood in the garage checking my watch every few minutes and sipping on my third cup of coffee. The landscaper and his work crew were supposed to arrive at 8:00 to prepare the ground and set the footings for my brick walkway. I couldn't wait any longer to meet with them, so I left to attend a scheduled meeting at my office.

When I returned home from work late that afternoon, I saw that the landscaper had finally arrived and was talking with my wife in the driveway. I could tell from my wife's expression the conversation was not going well.

"Hello, Mr. McCumber," shouted the landscaper as I got out of the car. "I was just explaining to your wife how we were going to get this walkway completed for you," he said with airy confidence.

"Perhaps, Mr. Parsons, you could begin by explaining to me why you were not here this morning. I had planned to meet you as we'd arranged to go over some specifics," I replied. "I'm glad you asked that. I was just explaining to your wife that I couldn't be here this morning because I had to spend half a day to gain a full day for your project, and I needed to do that this morning," he said.

"I'm not sure I take your meaning," I said. I asked if he could explain further, and soon regretted that approach.

"As I was telling your wife, I am also doing a big project for Miss Lilly from the church. Well, I'm a bit behind on her job, so I went to her house with my crew instead of your house, and by getting some more work done on her project this morning, I was able to free up an entire day in the future to work on your walkway," he said brightly, as if he were handing me the big cash prize in the Publishers' Clearinghouse(tm) Sweepstakes.

"That's wonderful news, I guess. But Mr. Parsons, the commitment you made to be here this morning had nothing to do with your other jobs. You said you would be here to work on my walkway. The brick will be here tomorrow, and now we will have to find someplace out of the way to store it until you can get the digging and forms completed."

"I'm sure you can handle that," he said. "And this way I can make sure I get your job and Miss Lilly's finished. Isn't it wonderful when something like this works out for everyone involved?" "Be assured that I share your concern for Miss Lilly's happiness," I replied, trying in vain to disguise my rising annoyance. "But I need to know when you will be able to complete the digging and the forms for my walkway."

"Well, I should be able to get back here, say, perhaps next Thursday. Of course, that all depends on the weather. You know I can't control the weather," he said.

"Mr. Parsons, I am well aware of your lack of godly powers. But 'perhaps next Thursday' is not a very good way to reach an agreement. I need to know when you plan to work on the walkway so I can make arrangements with the nursery to deliver the plants and other items for the garden. I realize a rainy day or two may delay the project, but we are in the middle of a drought. I am happy to work within your schedule, but you need to make a commitment you can keep. What's your plan for completing the walkway?" I asked.

"Well, let's say Thursday. I'll be here next Thursday at 8:00 sharp and we'll get this thing going," he said as he crawled behind the wheel of his truck. He pulled out of the driveway and then stuck his head out the window and called to me, "I'll tell Miss Lilly you said hello!" As he drove off, I found myself wishing the bricks had been delivered so I would have one to throw. Next Thursday came and went with no sign of Mr. Parsons. We left him a voicemail. Friday also came and went without a word. I awoke that Saturday at 8:30 to see his truck in the driveway. As I came out of the house pulling on a shirt, I found him staring at the huge pile of bricks behind the garage. I also noted he was not dressed in work clothing.

"What happened to 8:00 sharp on Thursday?" I asked.

"Oh, hello, Mr. McCumber. I just wanted to come by to make sure these bricks were here and they were the proper paving bricks we need," he said, acting as if he hadn't heard my question. "I don't have time to work on your walkway today, but I wanted to stop by and let you know we were getting ready to start this project."

"You said you were going to be here Thursday morning. I left you a voicemail Thursday evening, " I countered.

"Oh, Thursday was a bad day for me," he mused, rolling his eyes to the blue Carolina sky. "My trailer got a flat on Route 64. Can you believe that? It was a real mess. Have you ever had a flat on Route 64?" he asked.

"Well, since you are not in work clothes," I said, "perhaps we can simply do some business instead."

"Sure," he replied, "What do you want to talk about?"

"I would like to discuss when I can expect my deposit back," I replied. "I need someone with a plan and a commitment for this job, not someone with a story."

I think back on this incident many times when reviewing security programs. Too often, I run across an information security program that's a story and not a plan. Unfortunately, it seems too many security practitioners are tempted by Mr. Parsons' methodology, which is really not a methodology at all. Mr. Parsons' management style is more a string of colorful fairy tales that inadequately obscure his inability to schedule his time effectively.

A sound plan is vital to an information systems security program. An effective and well- managed security plan then becomes an ongoing process that continually adapts to deal with known vulnerabilities and emerging threats. Fortunately for us, the nature of the process is relatively straightforward, and the data needed to build a plan is available with a little bit of research.

Providing protection for information assets requires you to have an in-depth understanding of the risk assessment process. You need to categorize the known threats and stay abreast of the evolution of both human and environmental threats to your information. An effective way to make sure you are absolutely current is to subscribe to a threat and vulnerability alerting service from vendors who track them for a living.

Additionally, you need to document all the vulnerabilities in your information technology environment. Technical vulnerabilities are tied directly to the types of systems, protocols, and software your organization uses. Along with the data available from security vendors, you can check publicly researchable data such as Mitre's Common Vulnerabilities and Exposures library at cve.mitre.org.

The risk assessment process also mandates a comprehensive review of your organization's digital assets. Their imputed value is what will determine what type and how much security protection is necessary. If you cannot show exactly where your sensitive information is transmitted, stored, and processed, you are going to have to rely on stories and anecdotes, and that is just not adequate.

Finally, you need to have a detailed understanding of how the security safeguards you employ mitigate your corporate risks. By analyzing the threats, vulnerabilities, and safeguards, you will develop a good snapshot of your existing risk posture. But to be truly effective, you have to use this information to develop a plan for continually managing and updating the security process. This plan then becomes the basis for your role as custodian and protector of the organization's vital information assets. When the decision makers call upon you to explain your job, you don't have to rely on your storytelling skills. You have a plan.

John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at johnmc99@bellsouth.net.