From time to time my wife likes to give me “projects.” Forthe most part, I think she would rather just hire someone (a professional that is) but she seems to be able to tell when I need to build something.
Usually my projects are constrained to the basement or the garage for two obvious reasons. One, she figures I can’t lower the value of the house too much in those places and, two, we can still have Christmas parties during my construction phase -which can easily last 2 years….
So one day I get the call – we need more storage space in the basement. I have a mission! So I take up the mission and head to my favorite store – Home Depot. I walk in the store knowing that, inside this building, is everything I need to solve this problem. I am correct, of course, but the problem is that I left my house with a problem in mind but without enough information to be able to solve it.
I forgot at least two critical things. First, I don’t know what my wife actually wants to “store.” Second, I left without going down to the basement and measuring the actual space. In the end, I will spend more time and money and still probably not get it right.
I tell you this story because it reminded me of how many companies are approaching IT security. The one difference is that many IT managers and CSOs are driven more by fear than by specific objectives (note - my wife can also use fear but that usually happens only in projects that run into their second year).
At the RSA conference I was simply amazed with how hot the security market really is; to me, security used to be one of those things that was largely ignored – build a firewall, keep your AV subscription up to date and you have done your best. Well, the times have clearly changed. As I walked the show floor, I was blown away with the number of offerings. Having spent a good deal of time studying this market and associated technologies, I consider myself at least “advanced” in my knowledge but I was not prepared for what I encountered.
Products and technology choices abound; it literally seems
like there are 10 ways to solve each problem (and even some solutions where I
am not sure there is even a problem).
So I will state what is likely an obvious point by now - building a successful IT security capability today requires the right up front strategy, planning, understanding, and goal setting efforts. With the number of offerings and approaches out there today, if you walk into the store without a plan you will probably just spend a lot of money and not get what you want. Here, if you fail, your spouse may not get ticked but your company may make the headlines (not the good ones).
We built our security strategy around 5 key elements under the mantra we call information-centric security. In summary, the 5 key strategies are:
- Plan – make sure you understand your objectives.
- Be sure you can identify who is using information - Basic levels of access, pass wording and firewall just don’t make it anymore.
- Secure your infrastructure
- Secure your Information - it is your asset
- Audit your results – you can’t manage what you can’t measure
The detailed info about our strategy is available through the normal channels so I won’t go into more detail here. Suffice to say - the asset we all are trying to protect is our information.
With the needs and visibility around security so great, some will be tempted to adopt a “ready, fire, aim” strategy. In some places (like my basement) the downside is not too dire. For security, however, I would suggest that up front planning is critical. As we can read in the media every week, losing confidential information is finally getting the attention it deserves.