Operations
7/11/2014
12:00 PM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Strategic Security: Begin With The End In Mind

The trouble with traditional infosec methodology is that it doesn't show us how to implement a strategic security plan in the real world.

No matter of where you work, the reality is that technology advances, threats emerge, and security adapts -- wash, rinse, repeat. Regardless, strategic planning is a critical part of information security that can transform an organization from being reactive to becoming proactive.

There are countless resources available to teach us about strategic planning methodologies. Unfortunately, something that these resources cannot teach is how to implement a strategic plan in the real world. To have a truly successful implementation means we have to go beyond processes, experiences, or skills and look at how we as security professionals can turn plans into results.

Your own worst enemy
Before actually starting down the path of strategic planning, it is critical that we know the role we will play throughout the process. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution.

I think it’s fair to say that every security professional has an origin story, and (whether we like it or not) there were moments that influenced how we will execute our strategic planning. In terms of knowing what you are, for the most part, those of us who are performing strategic planning will most likely be security professionals with experience across multiple information security domains. Being a “jack of all trades” means that we have the know-how to approach strategic planning more holistically because we have a greater understanding of core security values and how to apply them accordingly.

So if we know what it takes to be successful, how exactly can we become our own worst enemy? This can be attributed to our in-depth understanding of information security values, which can subconsciously escalate our way of thinking from being passionate to being obsessed. Truly, it can be viewed as a good thing to be obsessed with information security values, but there’s a danger of that obsession turning into a road block to success and limiting our ability to innovate.

Think inside the box 
One misconception about strategic planning is that creativity and innovation come primarily from “thinking outside the box.” In reality, this kind of unstructured methodology has a tendency to produce outcomes that have no relevance to the plan’s end goal(s). A better approach to information security is to go back to thinking inside the box.  

Security professionals with a strong sense of core values tend to be more creative when focused on specific issues and constraints rather than working with vague directions and multiple agendas. To get to this point, it’s important that we look at information security as an entire ecosystem instead of smaller groupings of protection.  When an organization has a complete view of its information security program, it can identify and evaluate unnecessary redundancies and provide better support for its risk management framework.

This is not to say to we should eliminate defense-in-depth strategies. Instead we need to work towards developing a set of consistent security goals throughout the organization that reduce operating costs and enhance the capabilities of core security systems.

Every security professional wants to see his hard work become a reality, but the truth is that only a few of the strategies we work on will actually succeed. Why is this?  Have you ever been told that the reason we perform strategic planning is "to reduce risk?" The lack of detail in this explanation is what leaves us struggling to define how we measure what success looks like.

Running vs. changing security
Much like "thinking inside the box," another element of strategic planning can be attributed to focusing on actually doing something instead of merely thinking that we should be doing something. This can be rather difficult to accomplish given how we’ve all been conditioned to feel that running security operations supersedes changing security operations.

Roadmaps are an excellent way for organizations to support their strategic plans. But what we should be cautious of is that these roadmaps don’t dictate exactly what we need to do to reach our goals. Wouldn’t it be better if we could instead leverage the motivation within our operational security teams to provide us with a vision of what the finish line should look like?

This is a proven ideology that has produced information technologies that have integrated and simplified information security values without becoming too disturbing for users. The key component, as stated by Steve Jobs, is that you've got to start with the customer experience and work back toward the technology -- not the other way around.

The evolution of information security is often a reaction to the advancement of the data and technology it protects. Having established roadmaps that illustrate what the finish line is, the execution of a strategic plan can be driven by those who are thinking inside the box and motivated to achieve success.

However, as professionals we must keep in mind how quickly being passionate can change to being obsessed and that this can influence the overall implementation of strategic security solutions. If we work backwards from where we want to be, we will be able to better integrate and simplify information security regardless of technology.

Jason is currently the senior manager of the security research-and-development team within the Scotiabank group, where he has worked for the past decade. During his career with Scotiabank Group, he has been responsible for digital investigations, software development, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2014 | 11:37:09 AM
Re: strategic Security: Begin With The End In Mind
Agree, if we were able to pick and choose and provide solution piece by piece we would be able to do that and would be avoiding the security issues we are facing today. Software has to be secure that is for sure, the platform and people using that may still pose threats to it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2014 | 11:34:16 AM
Re: Security begins "inside the box"
I would agree but when we look at security as a whole then where we see the expected outcomes. Having a perfect security-aware software does not really protect us from threats, software would simply be as weak as the username/password we would be using to login.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2014 | 11:30:26 AM
Begin with the End in Mind
Very good article. Thanks for sharing that. Stephen Covey had it right when he said Begin with the End in Mind. That really applies to security too. We also need to make sure that IT is just one leg of security problems we have. As article mentioned think inside the box and have a general overview of where the weaknesses and threats are and provide proper countermeasures.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
7/14/2014 | 6:46:59 PM
Re: strategic Security: Begin With The End In Mind
I agree @macker490 that we have to start somewhere but I don't think the answer to every strategy is to secure the software first. This goes back to the idea that something we are passionate about can limit our ability to successfully reach our end goals by becoming an obsession. While securing software is an important criteria, it is not always the starting point in every strategic plan: such as understanding the business requirements and ultimately what the data is before begin to develop a strategy to secure it.

@RobertMcDougal makes a very good reference on how our eyes can be bigger than our stomach and we can't seem to focus in on how to get from start to end. It goes back to something as simple as setting smaller achievements throughout the course of the strategic plan so we don't get overwhelmed with the end goals.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/14/2014 | 2:33:49 PM
Re: Security begins "inside the box" -- protect the software first
I think you have summed it up fairly well.  In my experience, security professionals feel too overwhelmed by the scope of security strategy and become paralyzed, thus doing nothing.  I treat security stategy the same as eating an elephant, one bite at a time.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 8:32:49 AM
Re: Security begins "inside the box" -- protect the software first
Seems so basic and so simple. And yet strategic security remains a huge challenge for so many organizations. 
macker490
50%
50%
macker490,
User Rank: Ninja
7/14/2014 | 8:29:40 AM
Re: Security begins "inside the box" -- protect the software first
read the first two sentences:

in terms of security: you must protect the software first -- before there can be any meaningful discussion of security.    if you are using an o/s that leaks worse than a seive you have to start by changing that.

once you have protected your software then you can move on to authentication.   all transactions must be authenticated and this includes particularly  software updates not just orders, invoices, EFTs, PII data and the like.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 8:15:45 AM
Re: Security begins "inside the box" -- protect the software first
@macker490 -- you write: the industry runs around in circles playing whac-a-mole but does not address these issues (of protecting the software first).  

So what is your formula for change? 
macker490
50%
50%
macker490,
User Rank: Ninja
7/13/2014 | 7:46:23 AM
Security begins "inside the box"
in terms of security: you must protect the software first -- before there can be any meaningful discussion of security.    if you are using an o/s that leaks worse than a seive you have to start by changing that.

once you have protected your software then you can move on to authentication.   all transactions must be authenticated and this includes particularly  software updates not just orders, invoices, EFTs, PII data and the like.

the industry runs around in circles playing whac-a-mole but does not address these issues.   until it does there can be no real progress

we have probably past the point of tolerance for systems that were not built to be secured.   change will be essential in order to continue to expand electronic and digital based commerce.   security is not an option, it's a requirement.   and we have to take an effective approach to it

protect the software first

then work on authenticating transactions
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.