[infowarrior] - An Open Letter to CEOs Regarding Information Security

[InfoSec News <isn () c4i org>]

---------- Forwarded message ----------
Date: Thu, 22 Aug 2002 20:36:13 -0400
From: Richard Forno <rforno () infowarrior org>
To: rforno () infowarrior org
Subject: [infowarrior] - An Open Letter to CEOs Regarding Information Security

An Open Letter to CEOs Regarding Information Security By understanding
the needs of security admins, corporate executives can ensure the
ongoing security of their crucial information systems.
By Richard Forno Aug 22, 2002
http://online.securityfocus.com/columnists/104
(c) 2002 Securityfocus

Dear Esteemed Corporate Leaders;

By the time you read this, our summer vacations will be winding down,
the long days of summer will be rapidly receding into memory, and, for
those of us slaving away in the corporate trenches, work will begin to
pick up again.

Given that summer may be a time for forgetting the drudgery of work
(particularly for vacationally endowed executives), on behalf of
security managers everywhere, I humbly offer this epistle as a short
refresher course for our corporate leaders, as we head back to the
business of doing business. I hope that this brief letter will help
jog their memories as to what our duties truly are, and make it more
bearable for them when their respective security managers begin to
pester them with dire warnings of impending network doom and requests
for ever-more increases in security budgets. May it also help our
beleaguered security managers get some real support as the fall
begins.

Security Managers are Not Paranoid ­ They Just Seem That Way

You may think that we believe threats lurk behind every router, hub,
and user, and sometimes to us it seems that way. However, we realize
that repeated, unsubstantiated gloom-and-doom warnings about
cyber-terrorism, viruses, and hackers will only make you ignore us,
much like we ignore those ubiquitous NIPC warnings. Therefore, we
pledge to only report tangible, confirmed items that present a
pressing danger to the continued operation of the company. In return,
we ask that you acknowledge our advice, heed our warnings, and support
us in the best interests of the company.

Furthermore, while you may not want us to be involved in the policy
approval process, we ask to be included as trusted advisors when such
items are discussed and that you allow us to make informed comments as
necessary. After all, you hired us because our credentials were sound,
our knowledge deep, and our abilities strong. And we¹re still employed
because you trust us to do the right thing. That includes giving you
objective, informed advice on security matters when appropriate. It¹s
up to you to take our counsel as the experts in this field and make
the right decision for the company¹s best interests.

Security is More than Technology Components

Our three guiding principles are to serve the business by ensuring the
confidentiality, integrity, and availability of the systems under our
responsibility. As good security practitioners, it¹s our duty to think
like the bad guys, and figure out how they might cause damage to our
corporate information environment. Sure, we know that our firewalls
are good and are updated regularly, but simply spending money on
technological solutions will not ensure the security of the
enterprise. If we do not have redundancy built into our networks, if
we continue to use software that¹s full of recurring security holes,
if we continue to treat security as a secondary issue, our
organizations¹ data will continue to be at risk.

Security professionals know that the people are inevitably the weakest
link in the security chain. We can minimize the negative affects of
human error if we have your support in designing well-designed
policies and procedures. We must be able to count on your support when
it¹s necessary for us to implement and enforce them. Organizations
place a premium on employee education and knowledge for their success,
this should extend to security as well.

Our calls for better security education amongst employees aren¹t to
fuel our ego or increase our power in the company, they are merely to
ensure that security is considered and implemented throughout our
corporate environment. Just as you would ask all stakeholders to take
responsibility for the success of the enterprise, we would ask that
all employees take responsibility for the security of the
organization¹s crucial data. It doesn¹t cost much to raise awareness,
and in the long run, it¹s a great return on investment.

We think ­ we hope ­ you would prefer to have problems prevented
through effective education and planning before the fact than through
costly damage control and repair after the fact, when it will likely
disrupt operations, cost more money, be harder to address, and
endanger our revenue stream, not to mention embarrass us in the eyes
of our shareholders and the media.

The More We Sweat In Training, The Less We Bleed in Combat

If you happen to wander the corridors around our work areas and see us
surfing the Net, rest assured, we aren¹t goofing off. If you hear our
hoots of glee from the test lab when playing around with new software
or hardware, trust us, we¹re not playing frivolous games. Believe it
or not, we¹re doing research.

Computer security is a rapidly changing field. New vulnerabilities are
announced everyday. New exploits to take advantage of those bugs
inevitably follow soon after. To be truly effective security
guardians, we need to know not only what we¹re up against but how to
defend against it. That means we have to be on the prowl for new
attack tools and hacker news, so that we can be better prepared to
respond if and when such attacks occur.

We take it upon ourselves to learn the tools and techniques of the bad
guys, and apply them against our own systems first to see where they
might be effective at causing damage to our company. Knowing that, we
can then prepare and protect ourselves accordingly. This may sound a
little kooky or far-fetched, and it is certainly unconventional in the
button-down corporate environment, but you'll thank us when the next
major virus, bug, or exploit passes us by unscathed.

We Must Become A Distinct, Trusted Entity

We¹re not the secret police. Our primary customer is the company and
its employees. We can¹t be effective without their participation and
support, and that includes working well with product teams and
business unit leaders. As such, we pledge to be objective, trusted
third parties for the company ­ just like the legal and HR departments
­ and will work to earn and keep their trust by being available, easy
to work with, professional, and helpful. While we may report to the
CIO, unless we¹re free to work with other business units and
departments without multiple layers of bureaucratic stovepipes, we¹ll
never be perceived as anything but a bunch of glorified geeks trying
their best to make it difficult to accomplish anything in the
companyŠwhich is not the case. We¹re here to help, and work with
people to move the company ahead, not slow it down. We¹re business
assurance specialists, not obstacles to profitability.

By the same token, we need the support of your fellow corporate
muckety-mucks to ensure that we receive the support and respect that
we need to do our jobs as effectively as possible. This may mean
giving us the authority to enforce security policies. It may mean
allowing us to participate in the education of the end users. It may
mean giving security personnel a higher profile in the company.
However it is done, by integrating us into the company and giving us
the respect and status our work deserves, you will make it easier for
us to do our jobs. And that can only benefit everyone.

In Closing...

Autumn always seems to be a time of renewal in the workplace. I hope
that these few points will explain how I plan to build and administer
my security team this coming year. It may sound strange, but I do want
to work with you and make our company¹s information environment much
more secure, so we can continue to be profitable, even in today¹s
goofy market.

Thanks for listening. See you by the water cooler.

# # # #

Richard Forno is the coauthor of Incident Response (O'Reilly) and The
Art of Information Warfare (Universal). He helped to establish the
first incident response team for the U.S. House of Representatives,
and is the former Chief Security Officer at Network Solutions. Richard
is currently writing and consulting in the Washington, DC area.



-- You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org/lists for list information or to unsubscribe. 
This message may be redistributed freely in its entirety.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.