I'm generally a tolerant and easy going sort of person. There's a fairly short list of things that get my goat. For instance, our local doctors surgery has a call queuing system with 6 different options. However, I know for a fact that there's only one person working in the reception and that regardless of which button you press (press 1 for a long wait etc etc) after about 12 rings you'll get through to her. How pointless is that? Our home phone number is fairly similar to a local pizza take-away place. At least a few times a week I'll take orders. Sometimes, I tell the caller that I've got no pizza left but they are welcome to have some of what I'm having...
The information security industry can be similarly infuriating at times. Here's a short paragraph on each of the five things that wind me up the most:
1. Security awareness programs
A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It's all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click "a). All policies are on the Intranet" in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes. Security awareness programs sap energy and resources, and have little positive effect. Drop them.
2. Compliance = security
Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of "Qualified Security Assessors" driving their company Mondeos up and down the motorways of England en-route to the next company that's fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says "compliance" tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It's an ongoing program without an end-date.
3. Risk modelling
Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of. You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand that if a retail website suffers a denial of service that it'll have some financial consequences, or that if the internet connection is lost that there wont be access to the..er..Internet. I've got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling - understand your systems and know the business so that you can make relevant risk-based decisions.
4. Where are all the analysts
Here are two examples of what I mean. i) A vendor does a "penetration test" of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled "scan now") and sends you a report highlighting several "High Risk" issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!
5. It's not my fault
The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don't count. Only results. There's an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it's your fault. Admit it and learn from it.
The information security industry can be similarly infuriating at times. Here's a short paragraph on each of the five things that wind me up the most:
1. Security awareness programs
A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It's all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click "a). All policies are on the Intranet" in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes. Security awareness programs sap energy and resources, and have little positive effect. Drop them.
2. Compliance = security
Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of "Qualified Security Assessors" driving their company Mondeos up and down the motorways of England en-route to the next company that's fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says "compliance" tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It's an ongoing program without an end-date.
3. Risk modelling
Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of. You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand that if a retail website suffers a denial of service that it'll have some financial consequences, or that if the internet connection is lost that there wont be access to the..er..Internet. I've got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling - understand your systems and know the business so that you can make relevant risk-based decisions.
4. Where are all the analysts
Here are two examples of what I mean. i) A vendor does a "penetration test" of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled "scan now") and sends you a report highlighting several "High Risk" issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!
5. It's not my fault
The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don't count. Only results. There's an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it's your fault. Admit it and learn from it.
Well that was a relatively depressing and negative read :(
1) Disagree - if Health and Safety legislation mandates that a user be sat in a room and told best to handle a ladder once a year with the odds of likelihood being pretty low, then why shouldn't an organisation mandate that their users who, lets face it are, in the main, the ones creating the information, be sat in a room and at least engage in a discussion about how best to handle, label, protect the information they create and/or are responsible for? And trust me, this doesn't have to be delivered in a boring manner - I speak as someone who is in her 30th straight day of delivery a nationwide programme have "sheep dipped" over 600 users - and, in the main, they have been presently surprised about how entertaining, non patronising and enlightening it can all be!
2) Agree wholeheartedly - and would add that PCI should be seen as something to be considered WITHIN an overarching security framework of ongoing activity rather than a separate silo'd requirement.
3) This is a badly written whinge as actually you are saying "do risk modelling" but calling it "threat modelling" - i.e. a rose by any other name; so its still risk assessment and a professional InfoSec person would advocate exactly what you have stated so its not a new revelation, or particularly helpfully put.
Got out of bed on the wrong side, did you?!