Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for March:
The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.
For this month’s advice, you are a victim of eye-candy. I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.
The general message does hold true. Security strategy is the long term endeavor to protect an organization’s future. If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks. If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.
We don’t have to win every fight, lock every door, and close every exposure. Instead, we are in a position to selectively choose our victories to maximize our capabilities. Our victory is finding the right balance of risk and costs. Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.
In practical terms:
- Have a plan and communicate it
- Understand the business need for security
- Prioritize security initiatives based upon their value
- Develop an overall defense-in-depth capability, with interlocking services
- Characterize the most severe threats and identify the most likely and impactful exposures
- Know what you are protecting
- Be cognizant of when you need more, have enough, or too much security
My moment of enlightenment is over. It is time to get back to the grind of the security firefights. But my strategy is never far from my mind. It defines the boundaries and guides my tactical decisions.