Information security has become a necessary part of any well-managed IS department. Over the last several years, regulatory requirements and increased public awareness of data theft or loss have motivated executive managers to take a more serious look at protecting information assets. Most organizations have implemented various technologies to provide a layered defense against a wide range of attack vectors. If you've been hard at work installing security technology, it might be time to review what’s been accomplished and determine how to make the most of installed solutions.
According to Rich Mogull, research vice president at Gartner, “…the message isn’t about more security, but more security processes” (csoonline.com, “Gartner: More Security Processes, Less Spending”, December 29, 2006). Based on where my organization finds itself at the beginning of 2007, I agree.
During 2006, we worked a security technology roadmap we developed in 2005. It was based on our security program. We were successful in deploying a layered technical defense that we believe is reasonable and appropriate to protect our information assets. It’s now time to measure and improve.
In 2007 we’re developing metrics to measure the efficiency of our security infrastructure and policies. These metrics are intended to ensure we are spending recurring dollars in the right places. For example, security personnel are becoming highly specialized members of the IT staff. Security functions to which they don’t add value, such as daily monitoring of the SIM portal, might be better placed in operations.
Other metrics include how we’re doing in regards to SOX audits. For example, is our provisioning solution effectively managing terminations and roles? Is the number of stale accounts decreasing? Are servers, desktops, and laptops consistently deployed according to security standards and guidelines? In other words, are we providing the right level of oversight to ensure our security technology dollars were well spent?
Making sure the right processes are in place is our focus this year. Our metrics will help us understand where existing processes might be weak or where control adjustments are needed. We’ll be managing to ensure consistent, quality outcomes in much the same way our non-IS peers have been doing for years.
Success in this area will accomplish two things. First, we’ll have confidence that we’re doing everything possible to get the most value from our installed solutions. Second, we’ll be able to show management that their dollars were not wasted. This will be a big help when we ask for support for that next major security project.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.