Fortune Cookie Security Advice – March 2009

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for March:

The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.

Rosenquist Sig pic2.gif

For this month’s advice, you are a victim of eye-candy.  I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.

The general message does hold true.  Security strategy is the long term endeavor to protect an organization’s future.  If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks.  If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.

We don’t have to win every fight, lock every door, and close every exposure.  Instead, we are in a position to selectively choose our victories to maximize our capabilities.  Our victory is finding the right balance of risk and costs.  Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.

In practical terms:

  • Have a plan and communicate it
  • Understand the business need for security
  • Prioritize security initiatives based upon their value
  • Develop an overall defense-in-depth capability, with interlocking services
  • Characterize the most severe threats and identify the most likely and impactful exposures
  • Know what you are protecting
  • Be cognizant of when you need more, have enough, or too much security

My moment of enlightenment is over.  It is time to get back to the grind of the security firefights.  But my strategy is never far from my mind.  It defines the boundaries and guides my tactical decisions.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.