Columns

Put a Good Security Staff in its Place

The biggest threat to enterprise security may be your own organization.

• By Mathew Schwartz
• 03/01/2002

Having a good security staff won't mean a thing if those security pros aren't effectively integrated into your company, and if they can't develop solid lines of communication.

People think the big security threat out there is some 15-year-old computer criminal or script kiddy finding a way to mess up your servers. The real hazard is not hiring the right people, or not integrating them effectively.

Last month, I talked about recruiting good security personnel. Now it's time to talk about organizing an effective information security practice. Since Sept. 11, organizations are thinking about security differently than they used to.

It's up to the information security professionals to present a cohesive view of the company's security preparations to upper management. Unfortunately, many companies today have security—and operating system—fiefdoms. Unix people administer the Unix machines, and mainframe people administer the mainframes. Someone else is responsible for firewalls and intrusion detection.

That balkanization has to change. As Stu Henderson, head of consulting company The Henderson Group, based in Bethesda, Md., puts it, "You need people who have the technical knowledge, the ability to learn and the ability to work together in an adult way."

Blueprint—Start with Business Processes
Step one for working together in an adult way—to either create or re-tool an information security practice—is to assemble a security working group and prioritize the business objectives of the company. Sometimes—to the shock and horror of security professionals—securing the organization isn't priority one. Most important, any security practice has to be aligned with the mission of the company. There are things that absolutely must be secured—say, the credit-card database of an online retailer—and things that in the scheme of things aren't as important. Figure out what the priorities are; ask executives now. Otherwise, after there's an intrusion and something goes wrong, it's too late both for the business and your job.

Sometimes, executives' expectations are going to be wrong. Perhaps they want everything secured equally and don't understand that an effective security program is really an effective risk-management program, and managing risk requires ranking what's most important. If expectations are off, make note of that now. Later—with third-party testing and the collective force of a security working group—you can change minds.

When assembling a security steering committee—OK, pay attention to this point—the committee should be comprised of both technical and non-technical people. Corporate sponsors of the security plan and practices are a necessity. By getting their input early on into the security priorities of the company, security personnel and all other divisions tapped to deal with the intrusion will have their marching orders. Working out lines of communication after the intrusion is too late.

So the business objective assessment phase is especially important for opening up lines of communication between security personnel and business managers. It gets the company talking about what its best practices and priorities are, and allows limited security resources to be most brought to bear where they're most necessary. And it highlights the need to appoint a liaison between upper management and the various security practices.

Note, however, that in financial institutions or the military, there's often a chief security officer. That's an executive-level position combining not only upper management experience, but also knowledge of technology. That combination is difficult to find.

The security czar should have a direct line of reporting, preferably to a top executive. Sometimes this is the CIO, but security experts often advise that it be the CFO—someone who won't balance technology decisions directly against security considerations. Most CIOs tend to err on the technology side, taking risks with security when push comes to shove.

Henderson argues for someone who can centralize technology and security, no matter the platform. "It needs somebody at the top to say, look, we need all these different platforms that are starting to talk to each other, we won't have good security unless they start to talk to each other, so we need a way for all the administrators to work together," he says.

But don't look at the executive team to find someone to play security czar, he cautions. "I don't think there's anyone at a high-enough level within the organization who understands security," says Henderson. "Until that happens, it's going to be people building bridges to other people over lunch and other projects." After a few years, the hope is that some will graduate to strategic-level positions.

In the meantime, it should be a top priority of security managers or the security czar to keep management in the loop on information security. But it's difficult, notes Paul Raines, the global head of Information Risk Management at Barclays Capital (Inc./Corp.) in London and formerly, a senior security official with the Federal Reserve Bank of New York, and the United States Air Force. "A lot of times, security managers will get caught up in the day-to-day aspects of security compliance—encryption keys, generating passwords, things like that," says Raines. "And they miss getting senior management on board and getting new policies and procedures written and checking for compliance through reviews and penetration testing.

He recommends dividing up policies from network operations personnel, who will handle the operational side of security—generating passwords and the like. That way, he notes, "the people writing out policies are not the ones checking them."

The thrust of all this is keeping executives in the loop. "That's the main point, keeping management informed," says Raines. He uses a security pyramid to talk about how that works. "At the very base of the pyramid is senior management, understanding and support. That's a head-of-security manager's first and most fundamental obligation," he says. "Then just up from that is writing policies/procedures. The third rung is doing awareness training. And at the top is compliance checking—both through technical enforcement and PEN [penetration] testing," he says.

Finally, when setting up a security practice, get outside numbers, and continue to get them. Hire a third-party auditor to assess the current security vulnerabilities inside the company. That assessment isn't for assigning blame, at least not initially; it's a tool for talking with upper management about what needs to be done, and creating a baseline to show future changes put into place.

Plan for Incident Handling
After laying out the business requirements for security and getting buy-in, next create a plan for incident handling. This isn't a one-shot deal—ongoing incidents necessitate ongoing organizational response and ultimately, change. That's according to the SANS Institute, which also advises, when setting up a security practice, that roles and responsibilities for handling incidents are identified well in advance. Along with this comes planning for notification of and response escalation to any break-in.

Just as the process of identifying business processes requires that various divisions within the company work together, so does incident handling. That's why it's a good idea to get technical and non-technical people to work on the steering committee and also the incident response team. After an intrusion, it might be up to security personnel to isolate and assess the damage, but it's corporate communications that goes public—or decidedly not—with details of the intrusion.

Articulate the time and energy each person on the intrusion response team is expected to bring. And make sure that every incident—whether simulated or real—should also be a reality check for the security practice. Just like third-party audits, it's a way to give executives insight into their security response's effectiveness.

Sea Change
All blueprints for constructing an effective security program aside, I have to note that we're in the midst of a sea change in the way organizations approach security. In the old days —you know, before Sept. 11—many organizations contented themselves with security practices that created different divisions for policies, procedure and enforcement. When hiring information security professionals many hiring managers would look for certifications such as CISSP (Certified Information Systems Security Professional) or CISA (Certified Information Security Auditor). Employees like them because it tends to raise their salaries. Even though the certification doesn't guarantee knowledge about a specific security product, it does mean the potential employee took a course on the theory behind making an organization secure.

But things are changing. "There was a pre-9/11 war that is completely different than the post-9/11 war," says Alan Paller, director of research for the SANS Institute, based in Bethesda, Md. "It started in military and financial institutions in late September and it's rolling out to other industries. Any Internet-connected industry has had a substantive change in whom upper management thinks should be responsible for it. They're changing responsibility for it, and firing people," he says.

Given the changes afoot, it's hard to generalize exactly where the industry is headed. But there are indications. For instance, on the most recent Foote survey (October 2001), which looks at the most popular IT certifications, CISSP dropped out of the top five.

"That's part of this shift that's taking place. If I'm a senior manager, I don't want you to be able to talk about security," says Paller. Rather, those senior managers want information security managers who ca

n do security. Instead of understanding the theoretical underpinnings behind information security, they want people who really know how to get their hands dirty.

Paller is blunt about CISSP—he likens it to a

medical license. "I want to require everyone to have a medical license, because then mine is worth more. No skills have been measured, it's just a knowledge test," he argues.

Post-Sept. 11, management is asking tough questions. Instead of the abstract, "do we have a security policy?" comes the "are we prepared against the top attacks?" Expect these sorts of questions:

• What are our patch levels?
• What are our other vulnerabilities?
• Are we protected against the SANS/FBI top 20 threat list?
• How effectively do we respond to intrusions?
• Who is taking responsibility for securing the organization?

The recent trend has been to hire security managers with a firm grasp of the technical who can still communicate well with executives. This mix of skills may prove essential for keeping security professionals as an integral part of the organization. For too long, they've been regarded as corporate naysayers. When CEOs start asking about patch levels, then you know the security professional's day has come.