May 26th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
Like most in the security industry, I read extensively – both technical and non-technical information. It’s virtually impossible to keep up with everything, but it comes with the territory. Add to that the plethora of security-related data you receive from your enterprise tools and technologies, and it makes for a soul-crushing wave of data that must be processed, evaluated and potentially put into practice. How do we keep track of it all? And more importantly, how do we decide if it’s relevant to our mission?
Ideally, it would be fantastic to be able to instantly react and respond to everything out there, but it’s just not possible. Certain events and threats must be addressed immediately, however the majority must be analyzed and that takes time. While pinging my security teams for status every time I saw, heard or read something might give me some added measure of assurance, it wouldn’t make their lives very pleasant and we all know there’s a talent shortage out there. So rather than focusing on individual controls and countermeasures (unless the situation specifically warrants it), I find that it’s more effective to look at my security capabilities using critical process measurement and management and then assess the influx of information against that barometer.
Phishing, for example, represents a significant threat to the enterprise. This is well known, and the techniques used by bad actors continue to be refined. Analyzing every email that potentially makes it through the secure email gateway is a job for security pros, but isn’t a responsibility I pay forward to my business users. Analysis and adjustment happens first at the process level. What part of the process allowed this to happen? Was it technical? Procedural? Once it’s addressed, how will that change the process – a component of which, for example, is training and awareness. My users (for the most part) know to look at headers and naming conventions and use ‘if in doubt, throw it out’ as a rule of thumb. But if this is something new, I’ve got to incorporate that into every component of the process – from filtering to end-user training. Once that’s successfully completed, I’m able to measure the increased effectiveness of that process – showing upward (or downward) trending over time.
Obviously, it’s not that simple but it gives me a basis from which to measure and manage the capabilities of my security organization and that can be used both to run operations day-to-day and communicate to the C-Suite and Board. Our leaders don’t expect to be briefed on every individual threat and piece of information out there but they do expect me to ‘have things covered’ and be able to show evidence to back it up. I can’t do that unless I’m able to cope with the ever-present sensory overload.
TrustMAPP helps me do that.