Wednesday, December 24, 2008

Security Stuck at the Kids Table?

Where does the Security Department reside at your organization?

I am sure many readers with first answer this question with, “What Security Department?” That is a fair answer for many organizations out there in the real world and for those of you that answered the question that way, I feel sorry for you and your organization... It is only a matter of time before you end up on the front page on the newspaper with a headline reading something like, “Hacker Breaches Company ABC, takes 100,000 Social Security Numbers” or “Insider Steals 20,000 Credit Card Numbers from Company XYZ.” Trust me, I have seen it before. It is only a matter of time.
For the rest of you, where does Security sit? Under the Director of IT? Under the Chief Information Officer? How about under the Audit Department? While there are advantages to each, the disadvantages far outweigh the benefits.

Let’s examine.

Under the Director of IT: Last time I checked, the IT department’s main concern is the availability of resources and data. As a security guy, I really don’t care about availability. If our network is unavailable, we are secure. As such, every decision I make in the best interest of security is going to be analyzed based on the effects of availability, and if these decisions conflict with their goals, they are not going to go far.

Under the CIO: Same problems as above and also include problems with lack of funding, lack of power (i.e. the ability to make decisions and have them implemented), and lack of representation in senior management.

Under the Audit Department: Who is an auditor’s on friend? Another auditor! Okay, so that wasn’t a good joke, but there is truth to it. Most people don’t like auditors and being stuck under that department makes others think Security is one of them. Therefore, everyone from the bottom to the top will be generally “on guard” when you come around and resistant to your goals because of it.

So where is the best place for Security to sit? At the same level as the CIO, but independent from them. Security should be its own Department and have its own voice in the Senior Management circle. They should have their own budget and the ability to defend all decisions made in the best interest of security without being kyboshed before it makes it to the C-level.

In a world with increasingly more stringent regulations and compliances (i.e. PCI, HIPAA, SOX, GLBA), and more sophisticated hackers and hacking techniques, it’s time to move Security where it rightfully belongs, at the adult table.

Read more!

Tuesday, December 23, 2008

Economy bad… breaches go up!

Cut jobs, layoff people, hell don’t buy coffee, but don’t spend less on assessments during a down economy!

Contrary to popular belief during a down economy it is crucial that companies maintain an assessment program. Based on an article I recently wrote for when the economy is bad (which appears to be the case for 2009) the chance for theft of corporate assets increases. Based on the fraud triangle below are three areas that if aligned a person is willing to steal, commit fraud or worse.
  1. Rationalization- The day an employee starts they start to rationalize… I worked all weekend and no one else was here… especially my boss!
  2. Pressure- Given the economy this is an understatement; pressure is all over the place. With one in five homes being foreclosed on it’s a safe bet that one of your employees will have financial pressure.
  3. Opportunity- Probably the only area that we can actual control. Taking away or reducing the opportunity is key. Assessments are actually the lowest cost solution to identify the risky areas.
Correct use of assessments is key; you need to spend money wisely. What is the best use of your money and how do you maximum your return? You need understand where your greatest risk is and apply more resources in that spot. Seems easy, however most security professionals would rather secure the outside with a penetration test or scans. Spending $10k, did you actually identify the greatest risk? Probably not.

Getting budget gets tougher and tougher when you don’t know what the real risks are. Hence, next year (2009), spend money on a risk assessment. Yes risk assessments cost more, but they identify more risk and more importantly map the business requirements to those risks. Now you are telling the board or CEO of the risks, not just the results of a penetration test. This is key; we as security practitioners do not want to hold the risk!

Over the past several years I have noticed an increase in January/February breaches and hacking activity. While I can not statistically back up this observation, I can guarantee you that with a down economy and the holiday season, people will have more free time. Especially kids that are off from school, this is an ideal time to try some new hacks out, maybe the latest version of FastTrak.

Read more!