- Google I/O 2013's Coolest Products and Services
- 10 Star Trek Technologies That are Almost Here
- 19 Generations of Computer Programmers
- 25 Must-Have Technologies for SMBs
The long view of security strategies for your network.
This is the second of two parts of an interview with Daniel Kennedy, MSIA, who graduated from the Master of Science in Information Assurance program in the School of Graduate Studies of Norwich University in 2008. He has recently become a contributor to an interesting, thoughtful and valuable blog at Forbes Online and I interviewed him recently about his new project.
* * *
What do you think your focus will be in the coming months?
I'm still finding my voice on this Web site, but my primary focus will be on what I think is most missing: fundamental security strategy within companies and its effective execution. I am very much in favor of the capabilities new and innovative products can provide, but I find their implementation in many organizations is haphazard; the products lead the implementation calendar rather than allowing internal teams to find the right products that fit into an overall, strategy that prioritize the rollout of its component parts.
For example, there are organizations which provide privileged access to all users and have no Web filtering, yet they are asking about high end data leakage protection (DLP) products. Companies may have no patch management and no validation of their anti-virus, yet they want to discuss high end log review security information and event management (SIEM) products. Many companies are not doing intrusion detection at all, doing it in baffling ways, or outsourcing it to providers who aren't actually monitoring anything. In most cases all of these things should be part of a strategy, but more complex projects will only be successful if built on a foundation of getting the basics right.
Those basics involve the somewhat less sexy implementation of security policies, awareness programs, communication plans, and other aspects of information security programs that people try to run from because they are uncomfortable, they involve the entire organization, and they require putting oneself in a position of leadership.
So there are security teams looking busy but crippled by the lack of organizational power afforded them in the environment they're in and by the inability to set their own reasonable agenda, and thus not advancing the state of security within their organizations. There are people responsible for information security in different areas of the enterprise, but organizationally it's implemented without central strategic leadership in the form of a CISO. I hope I will support these teams by showing that many security events that get highlighted in the media are not caused by some especially advanced attacker but rather by exploiting simple, fixable and preventable vulnerabilities. And even when the attack is advanced, in many cases the incident response, forensics response, and corporate handling of the event leave room for improvement.
How are you finding the experience of writing regularly for public consumption?
It is difficult, both from the perspective of clearing time to write and in trying to create content that is meaningful without appearing to sell something, parrot back old content, or publish unsubstantiated personal opinions without a relevant story from experience or an observed condition.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.