In this interview he discusses managing information-related risks in the enterprise, threat evolution, compliance, security awareness, as well as his SANS "Security Essentials Bootcamp Style" training course he's hosting at SANS London in late November 2012.
With threats evolving at a breakneck pace and the underground working on a seemingly endless budget, what are the biggest challenges security professionals face when trying to protect their organizations? What should they especially be on the lookout for?
The biggest challenges organizations face is properly prioritizing what they should be working on and staying focused. Organizations today are doing good things that will help protect their organization long term but they are not doing the right things that will protect against the current threats. Focusing in on risk is how an organization wins. Before they spend a dollar of their budget or an hour of their time they should always ask three questions:
- What is the risk?
- Is it the highest priority risk?
- Is it the most cost effective way of reducing the risk?
How important is security awareness in the overall security architecture?
Security awareness is very important because it helps align and reshape user behavior. For security awareness to be effective organizations it has to be aligned within the triad of policy-training-awareness. Policy tells people what to do, training gives them the skills for doing it and awareness changes their behavior.
To move beyond cartoons and posters organizations need to tie metrics to each policy statement. Awareness sessions should focus in on the policies that receive the lowest score in terms of compliance. If awareness is done correctly organizations should see a measurable improvement in compliance with the policies.
Some advocate compliance while others blame it for many of the problems having an impact on the insecurities of today's organizations. What's your take on the good and bad sides of compliance?
Compliance is very good at getting the executives attention and receiving proper funding. But it is important to remember that blindly trying to meet compliance by doing the minimal amount that is required will not necessarily lead to security. However, if compliance is the stick to receive the proper focus, proper security can lead to compliance. For it to work effective compliance can be the sales pitch and an objective, but risk based security needs to be the focus in order for an organization to receive the desired results.
With the current recession and shrinking budgets, what are the most challenging aspects of managing information-related risks in the enterprise? Are there any corners practitioners are allowed to cut?
With less resources organizations are required to do more with less. The biggest challenge is trying to accomplish too much and not properly focus in on the highest risk items. In order to be successful in these challenging times it is critical that organizations make sure everyone is on the same page.