Security Basics mailing list archives
Re: Benchmarking security posture
From: levinson_k () securityadmin info
Date: 29 Dec 2006 23:24:44 -0000
So, I went into the meeting thinking it would be a session to talk about the tenets of infosec (CIA, protect). I could use some assistance in communicating to the business leaders.
These executives may not want to be educated about security or made to feel dumb. It's probably not the place to be doing a lengthy in-the-weeds training session. They might mainly be wanting concise suggestions that they can approve or deny, instead of a questionnaire.
I was told to propose a plan that is benchmarked against other similar sized organizations in the same industries. Where do I find information about infosec postures at similar organizations
Which companies do they want to compare and emulate? Enron? That company down the street that keeps getting infected by viruses? The company with the stovepiped legacy application running on a different platform than theirs? Is emulating other companies a good way to run a business or outperform the other guy? What if the other guy isn't doing it the right way? Many companies arguably don't have their IT security entirely in order. It sounds like they see security as a one-size-fits-all appliance that you buy, and they want to know exactly how many boxes and how much it's going to cost them. But how secure you are doesn't always have a lot to do with how much you spend on hardware and software. The number and talent of your security staff, and policies and procedures used to insert security into various business processes like system development, deployment and operation, are important details in a security posture. With IT security, the devil is entirely in the implementation details. I'm not sure they're going to be able to replicate that from any industry benchmark with much success. But I agree with the other poster here that you should consider selling security as a cost savings measure and, as you say, an insurance policy against primarily financial losses. You might use scenarios like the last time they were infected with a worm that caused system X to be unavailable, which impacted business productivity. IT security is largely about managing risk, and bringing risk to an acceptable level, and companies in the same industry and size do not necessarily all have the same tolerance to the various kinds of risk. You might use brief mentions of quantitative risk assessment to help bolster your ability to justify your position, but you may want to avoid trying to educate in detail about abstract concepts. It could be that they think their biggest unacceptable risk is risk of legal liability. If this was actually the case, the concept of using industry-standard "due diligence" methods to protect yourself come into play, and their approach of seeing what others are doing would make sense. The NIST SP800 series of documents such as SP800-53 has some guidance that may be a useful launching point at assessing their largest security gaps, though the documents were created with US Federal government systems in mind and are still somewhat lacking in the concrete detail it sounds like you've been directed to provide. http://csrc.nist.gov/publications/nistpubs/ I'm thinking they're wanting you to propose a concrete direction, so you'd need to alreqdy know the current security posture and have the answers to most of your questions already. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: Benchmarking security posture levinson_k (Jan 02)