Looking at the field of information security, some things do not feel right and mostly on governance part. I think priorities are not properly distributed and most companies, as well as security professionals, do not have a full understanding of how information security can work for them.
In this post I will define a Spectrum Approach, a mindset which, in my opinion, companies and professionals should follow. More specifically it's a mindset to look at issues from various perspectives rather than sticking with a single understanding. I believe that this approach might have a positive impact on the future of information security and help stakeholders in dialing with information security topics in a corporate environment.
Standards and Checklists
ISO 27001, NIST CSF, COBIT... If you are familiar with the field then you are probably hearing these terms on a regular basis. These are some of the standards everyone is talking about from the security sales guy, who sends you unwanted emails on weekly basis, to top audit companies paid by your organization to tick the boxes for you.
These are the documents that "...help organizations keep information assets secure" and "...will help to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties."
There are various reasons why standards and checklists are used in corporate environments, here are some of them:
- Passing the audit and holding a certificate boosts the trustworthiness of the company, resulting in increased sales.
- Top management thinks these solutions will make their processes secure and guarantee a sweet sleep, because that's what they have heard on that famous "information security conference" which ended up being a stage for sales pitches.
- Some information security professionals think that achieving a compliance and/or certification of the standard is the holy grail of information security, others think that ticking boxes will make the company secure and some of them just want to keep ticking those boxes, because that's what pays the bills.
An alarming problem in the field of information security is the emphasis and reliance on standards, checklists and so-called "best practices" as the only basis for many corporate decisions. The field and community has become obsessed with a cookbook approach, that every company should implement security processes with the same recipe. The vulnerability in this mentality is that one-size does not fit all and it's especially true for an ever-changing field of information security.
This approach is not only a demonstration of carelessness but also facilitates dangerous tendencies, some of which I will describe below:
- Information security policies and instructions should fit organization's culture, risk appetite and business processes. Since there are millions of various combinations of those items, "pasting" requirements of foreign documents or identically implementing so-called "best practices" will, at some point, contradict the business goals of organization.
- By not going into details of certain topics and relying on the high-level solutions proposed by foreign document, organizations will miss the valuable information that would otherwise help them in identifying and mitigating risks.
- It is easier for an attacker to infiltrate organization if the processes are built by thoroughly following the rules proposed in a publicly available document.
I strongly believe that one cannot gather hundred or even thousand information security professionals, sit them down and ask to come up with a cookbook on how to secure companies in hundreds of different industries, with thousands of different corporate cultures and millions of different business processes. It is simply impossible.
There is more than one way for security!
Information security is probably the only field that changes on daily basis. Changes bring new challenges and the magic of information security is to answer one question: How will you handle those challenges ?
When a business critical project is requiring a security assessment, are you going to stare at that nice certificate proudly hanging on corporate wall? Will you start scrolling through guidelines and checklists that a standards authority gave you? Or are you going to sit down, review current tendencies, do in depth technical analysis, go through a threat-modeling and translate security issues into risks? One of those approaches might be fruitful others not that much...
It is quite common to use checklists in a form of standardized questionnaires for vendor assessments, you've probably heard of SIG and CSA for example. These are some good ways for retrieving information from third parties. I believe that processes like this are necessary, because if security professionals start crafting questions from scratch every time there is a new project, then we will end up dedicating our time to repetitive tasks, will definitely forget questions that we should have asked and thus will not have enough information for properly assessing risks. Many market leading companies are using these checklists, but the worrying part of the story is that those checklists are used as is. Unfortunately nobody is trying to customize questions to suite a respondent company or a project and only few companies ask additional questions.
How will one retrieve enough information to assess risks around network infrastructure with this checklist if question asked is "Do you have an internal firewall?" and never mentioning "Does your company conduct ACL reviews? How often? What is the change management process for identified misconfiguration? and etc."
This demonstrates another careless approach, when information security professionals blindly rely on checklists without a desire to dive into details and only aiming to tick the boxes.
Many companies and professionals fail to understand that in most cases information security is a supporting function. Information security should work for business and that cannot happen if you keep introducing rules, policies, guidelines and instructions that are written in foreign book by people who most probably know nothing about your organization or a corporate culture.
In order to achieve a "for business" goal it is important to implement policies and guidelines in a way that fits corporate culture, strengthens available business processes and reduces possible risks.
Certifications vs Knowledge vs Skills
CISSP, CISM, CISA... Similar to standards and checklists these certifications should also ring the bell. "Become certified and have 35 percent higher salary", but first:
- You need to go through a > € 1000 training program
- Purchase only officially approved books and video courses
- Learn the terms specific only to this or that certificate
- You can pass the test only if you know the certificate materials and your deep understanding of security, experience and entrepreneurial mindset might not be that useful.
Similarly to Standards and Checklists, these certification have become a new norm, where companies and recruiters focus their attention on how many papers candidates have, rather then on achievements, entrepreneurial mindset, leadership and knowledge.
There is absolutely nothing wrong with getting certified, quite opposite, it allows a person to prove one’s knowledge of the topics of certain certification. But what about skills and abilities? A piece of paper or a € 300 book do not prepare you for a fast-paced real/virtual world. What gives you an advantage against an adversary is an ability to think like one and I strongly believe that this ability comes from hands-on experience, trials and errors, dedication, and desire to break things.
EVERYONE can prepare for and pass an examination that requires an theoretical knowledge, but not EVERYONE can become information security leader or a professional
Spectrum Approach in Information Security
Information security that is not based only on standards, checklists and best practices, but also on risk-based prioritization, business needs, hands-on cyber security experience and a philosophy to look at issues from attacker’s perspective.
- Facilitate decision making by communicating with business in terms of qualitative and quantitative risks
Security professionals should be using risk analysis methodologies for identifying critical focus areas and selecting the most appropriate solutions for their organizations.
- Standards provide one way of solving information security problems, but they are not designed to solve YOUR problems
There is nothing wrong with standards, checklists and "best-practices", but unfortunately one size does not fit all.
- Achieve and maintain standardization for the sake of business, fit processes to your corporate culture for the sake of security
Global market has adjusted in a way that standards have become a good sales enablers allowing businesses to quickly gain trust of customers. Security professional alone cannot change the game but we can always improve the rules.
- What you see is often not what you get
When conducting assessments, especially of vendors and third-parties, do not rely on certificates alone: ask for details, reports, evidences, processes and make sure that risks are not hidden under a corporate rug.
- Policies and processes that work for giant companies, might not work for your environment
Focus on introducing policies, processes and guidelines in a way that fit company's culture, strengthen available business processes and reduce possible risks. Policies that work for Google or JP Morgan, might not work for you.
- Trust skills and dedication, not a paper
Almost every open position about Information Security requires one of the following certificates: CISSP, CISM, CISA or SANS GIAC. Hiring companies are mostly not familiar with these certificates and are often forgetting that in this ever-changing field, certifications provide knowledge about certification not about information security. Companies should trust analytical thinking, innovative approach, communication skills, technical knowledge and experience, not the paper.
To be continued...