I’m training new members of my policy and compliance team on what I need in a security network diagram, a Visio document we attach to security assessments. Rather than all the cool infrastructure stuff typically depicted in a network diagram created by Engineering, this should be a logical representation of certain data attributes: where and how information travels and where and how it’s stored. I assumed earlier instructions had successfully sent the analysts down the right path. Good thing I checked.
Yesterday during the monthly training session, I received a well designed diagram. It had all the structural elements I look for. There was only one problem. The analyst had diagrammed the flow of DHCP handshaking for our new voice over IP (VoIP) implementation. Although I’m interested in how we hand out IP addresses, the focus of this assessment should be the safety of voice mail files and voice packets. Failure to ensure the right things are considered during security assessments and design discussions has ramifications beyond a meaningless diagram.
The focus of security activities can drift over time. It’s a challenge to maintain the perspective of non-security IS staff, a perspective with a focus on the data. Hanging signs around the department that read, in very large print, IT’S ABOUT THE DATA, concluding with one of a dozen common demeaning epithets, might work. But the only sure way of changing how people view security is via continuous reminders. Rather than take a pedagogical approach to awareness, however, I prefer gentle persuasion during design, assessment, or informal discussions. So unless my analysts understand data are the target, as well as other security objectives and concepts, IS technology providers will continue to miss the mark.
Two basic management principles can help ensure everyone on your team is on the same firing range, let alone shooting at the same target. First, “inspect what you expect.” Don’t assume that just because you directed assessments to be done in a certain way that your directions are understood, followed, or result in meaningful output.
Second, take every opportunity to make course corrections with your staff. Those frequent interruptions when members of your team pull you away from your own work to ask a question are perfect opportunities to peer into how your staff approach various security tasks. Asking the right questions and providing impromptu guidance are very important management tools to make sure your team is producing the outcomes you expect.