Paperwork – the bane of information security; pages and pages of documentation to complete that is time-consuming and not always helpful. We all have to do it; however, Information Security Programs have, over the years, become more about checking the proverbial box that states, “have anti-virus installed,” than taking the additional steps to ensure our systems are secure beyond just anti-virus. Consider: it is not unimaginable why so many IT departments were caught unprepared when the Petya virus hit– whose arrival, by the way–was anticipated for months in advance.
What caused such abysmal failures in readiness?
Organizationally, it is easy to imagine needed preparation time being diverted to low value paperwork exercises and/or addressing low risk vulnerabilities. Why? Simply because they are on some manager’s list and he doesn’t want to be on someone else’s radar. It is possible there was insufficient political capital or communication skills to convince persons outside of IT and especially information security to invest in the changes that might have averted Petya.
Looking on the bright side, Petya and its ilk have awakened those funding organizational information security efforts. This is an opportunity for information security professionals and programs to provide a pitch to their leadership: let us create meaningful metrics and strategic views of the emerging threat paradigm to improve business alignment – with the goal to make information security into a stable enterprise, rather than the constantly evolving cat-and-mouse game of craps that it has been, historically.
Too often, IT Directors check the boxes, dot the i’s, cross the t’s and get pulled into other projects. They may install some antivirus software, train their employees one time and have them sign paperwork that they received security instruction, but this isn’t enough.
In some cases, they may make demands for fancy new tools whose business justification can hardly be challenged by those with purse strings. We see it all too often- the bureaucracy, politics, and paperwork bureaucracy quote blog.pngbecome the security effort, and organizations lose the value of what they are really supposed to be doing.
There is often a communication gap between the Executives or CEOs and the Technology or Security teams about what’s important, or whether they really should invest more in security, and why. That’s because in many cases Information Security programs are too busy fighting fires, losing site of the strategic vision and if they have them, may even present worthless metrics to key decision makers. (oops, did we say that out loud?)
At DYONYX, we see metrics such as: “Last month we saw 1000 viruses, and this month we saw 1200 viruses, ” presented to leadership teams all the time. That’s great, but what should a key decision maker do with this information? Do we need more, faster, better, anti-virus? Is this just business-as-usual? Those of us in information security have to learn to speak in the “so-what factor.”
Does 1200 viruses this month mean there are new variants of viruses being released that we need to change strategy?
Does it mean that you can’t keep up or does that mean the antivirus software is not keeping up? Does that mean that we need to go buy some other product?
What does that information MEAN?
Perhaps a more meaningful metric, in this instance, might convey information about which sort of users, which department, or even which type of device and build are costing the most in terms of help desk incidents related to anti-virus. Are there patterns?
There has been a steady evolution in the mindset of Executives. In the early days of cybersecurity, many required an explanation of a security patch. This is no longer the case. They need better information to make informed business decisions. Should we spend money on a company retreat or should we up our anti-virus program? It’s a tough choice.
Information security professionals and programs must strive to bring stability to our art, providing measurements backed by honest reasons and evidence that demonstrate whether or not we are improving. If it is lack of budget, then say that. If it is focusing on low risk – low value items to fulfill some checkboxes, then say that! If it is due to not having good people to support the program, then say that. We must be constantly improving our game and this will not take place unless we have meaningful metrics and instrumentation to help guide.
Meaningful metrics do not have to be expensive either. Start small and build from there and watch that there is a metric for the metrics themselves. Data-driven decisions help us understand patterns in the big picture and will help IT decision makers use data to drive important decision making.
- Between time constraints and in some cases, failures in communication, what should organizations who find themselves in this position do?
- Transition towards automated solutions for managing necessary paper trails. Automation also allows you to measure and “things that are measured, get done.”
- Improve communication through better knowledge of the environment and consolidating views of security metrics
- Move towards a more agile threat response paradigm – improve data capabilities using tools which allow for a better understanding of the IT environment