Re: Benchmarking security posture

[levinson_k () securityadmin info]

> So, I went into the meeting thinking it would
> be a session to talk about the tenets of 
> infosec (CIA, protect). I could use some 
> assistance in communicating to the business 
> leaders. 

These executives may not want to be educated about security or made to feel dumb.  It's probably not the place to be 
doing a lengthy in-the-weeds training session.  They might mainly be wanting concise suggestions that they can approve 
or deny, instead of a questionnaire.

> I was told to propose a plan that is 
> benchmarked against other similar sized 
> organizations in the same industries. Where do 
> I find information about infosec postures at 
> similar organizations

Which companies do they want to compare and emulate?  Enron?  That company down the street that keeps getting infected 
by viruses?  The company with the stovepiped legacy application running on a different platform than theirs?  Is 
emulating other companies a good way to run a business or outperform the other guy?  What if the other guy isn't doing 
it the right way?  Many companies arguably don't have their IT security entirely in order.

It sounds like they see security as a one-size-fits-all appliance that you buy, and they want to know exactly how many 
boxes and how much it's going to cost them.  But how secure you are doesn't always have a lot to do with how much you 
spend on hardware and software.  The number and talent of your security staff, and policies and procedures used to 
insert security into various business processes like system development, deployment and operation, are important 
details in a security posture.  With IT security, the devil is entirely in the implementation details.  I'm not sure 
they're going to be able to replicate that from any industry benchmark with much success.

But I agree with the other poster here that you should consider selling security as a cost savings measure and, as you 
say, an insurance policy against primarily financial losses.  You might use scenarios like the last time they were 
infected with a worm that caused system X to be unavailable, which impacted business productivity.  IT security is 
largely about managing risk, and bringing risk to an acceptable level, and companies in the same industry and size do 
not necessarily all have the same tolerance to the various kinds of risk.  

You might use brief mentions of quantitative risk assessment to help bolster your ability to justify your position, but 
you may want to avoid trying to educate in detail about abstract concepts.  

It could be that they think their biggest unacceptable risk is risk of legal liability.  If this was actually the case, 
the concept of using industry-standard "due diligence" methods to protect yourself come into play, and their approach 
of seeing what others are doing would make sense.  The NIST SP800 series of documents such as SP800-53 has some 
guidance that may be a useful launching point at assessing their largest security gaps, though the documents were 
created with US Federal government systems in mind and are still somewhat lacking in the concrete detail it sounds like 
you've been directed to provide.

http://csrc.nist.gov/publications/nistpubs/

I'm thinking they're wanting you to propose a concrete direction, so you'd need to alreqdy know the current security 
posture and have the answers to most of your questions already.

kind regards,
Karl Levinson
http://securityadmin.info