I'm training new members of my policy and compliance team on what I need in a security network diagram, a Visio document we attach to security assessments. Rather than all the cool infrastructure stuff typically depicted in a network diagram created by Engineering, this should be a logical representation of certain data attributes: where and how information travels and where and how it's stored. I assumed earlier instructions had successfully sent the analysts down the right path. Good thing I checked.
Yesterday during the monthly training session, I received a well designed diagram. It had all the structural elements I look for. There was only one problem. The analyst had diagrammed the flow of DHCP handshaking for our new voice over IP (VoIP) implementation. Although I'm interested in how we hand out IP addresses, the focus of this assessment should be the safety of voice mail files and voice packets. Failure to ensure the right things are considered during security assessments and design discussions has ramifications beyond a meaningless diagram.
The focus of security activities can drift over time. It's a challenge to maintain the perspective of non-security IS staff, a perspective with a focus on the data. Hanging signs around the department that read, in very large print, IT'S ABOUT THE DATA, concluding with one of a dozen common demeaning epithets, might work. But the only sure way of changing how people view security is via continuous reminders. Rather than take a pedagogical approach to awareness, however, I prefer gentle persuasion during design, assessment, or informal discussions. So unless my analysts understand data are the target, as well as other security objectives and concepts, IS technology providers will continue to miss the mark.
Two basic management principles can help ensure everyone on your team is on the same firing range, let alone shooting at the same target. First, "inspect what you expect." Don't assume that just because you directed assessments to be done in a certain way that your directions are understood, followed, or result in meaningful output.
Second, take every opportunity to make course corrections with your staff. Those frequent interruptions when members of your team pull you away from your own work to ask a question are perfect opportunities to peer into how your staff approach various security tasks. Asking the right questions and providing impromptu guidance are very important management tools to make sure your team is producing the outcomes you expect.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.