In Absence of a Security Strategy

Jeremiah Grossman
January 26, 2010 | COMMENTS

From experience working with all manner of organizations there are a number of unique security strategies present in the industry. Since every business operates differently, perhaps there is no right or wrong approach. That is, as long as the approach is properly aligned with the goals of the business. If not, the end result will lead to failure and in my opinion represents one of the largest, if not the largest, challenges presently facing the industry (along with “justification,” which is probably the same thing).

Here are the strategies I've managed to identify:

Incident Response (AKA Public Relations)

Ensure that the exact types of previous break-ins (that have also been publicly attributed to the organization) will (hopefully) never happen again. Organize a set of public relations talking points for media inquiry in case it does.

Compliance (AKA Satisfy the Checkbox)

Satisfy audit requirements for any/all applicable regulations where failure will result in significant business loss. Ignore the rest until they do. Decisions on whether a particular security safeguard is required should be left to the discretion of the on-site auditor, but only after appropriate organizational push back.

Risk Management (AKA Control-Based)

Implement minimum industry accepted best-practices controls that establish a defensible due diligence posture in the event of incident or public inquiry. Engage with a well-known security consultancy that may positively attest to your organizations adherence via a thorough risk assessment.

Business Continuity (AKA Keep the Boss Happy)

Address any security issues that have previously inhibited management's ability to use e-mail or view online adult entertainment. Other outstanding risks are considered secondary and should be revisited periodically by the security steering committee.

Threat-Based

Identify and categorize the various threat agents that must be successfully defended against. Actively monitor threat agent activity, implement security control that limit their capabilities, and generate business-level activity reports.

Competitive Advantage (AKA Customer-Based )

Obtain a list of essential security controls from key customers/prospects, competitor technical literature, and provide assurance to customers that these highest standards of due care have been implemented.

Obviously, many of these descriptions are meant to be humorous, while still reflecting some resemblance of today's organizational reality. Most organizations adopt more than a single strategy to form their own unique hybrid approach to information security.

WhiteHat Security, founded by Jeremiah Grossman, is a provider of website risk management solutions. Reprinted with permission from Jeremiah Grossman's blog.