Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/13/2017
10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

20 Questions to Help Achieve Security Program Goals

There are always projects, maturity improvements, and risk mitigation endeavors on the horizon. Here's how to keep them from drifting into the sunset.

Recently, I was at the beach and found myself gazing out toward the horizon. Of course, as we all know, if you were to travel out into the sea trying to reach the horizon, you would never get there. The horizon just keeps on moving right along with you.

Unfortunately, the same can be said about many security programs I've seen over the course of my career. But most often, the horizon — in this case, a time horizon — just keeps on moving. Organizations just never seem to be able to achieve many of the goals they set for themselves.

There are many reasons why this is the case, but I'd like to focus on how organizations can actually achieve their objectives. I know this probably will not surprise you, but this is another great opportunity for a game of 20 questions.

  1. Do we have a focused and well-defined list of risks to the business? No matter how good we are, if we start off without any focus, it will be very hard to achieve successful and timely results.
  2. Do we derive our goals and priorities from the risks we're most interested in mitigating?  It's hard enough to deliver results on time for things that we need to do, never mind things that don't address any of the risks we’re most concerned about.
  3. Do we regularly assess where we may have gaps in our security architecture? This can be another great way to identify where it makes sense to invest time and money in projects. No sense in investing in something that you've already addressed at the expense of something else that sorely needs addressing.
  4. Do we follow the Pareto principle (80/20 rule)? The Pareto principle states that "for many events, roughly 80% of the effects come from 20% of the causes." In the security world, that means that we can typically achieve 80% of the desired results with 20% of the effort. For organizations that are resource-constrained, this is something to think seriously about.
  5. Do we have talented leaders who can shepherd and manage projects through to successful completion?
  6. Do we have talented people who can execute our plans to bring them through to successful implementation?
  7. Do we understand that we cannot do everything? We need to choose our battles wisely to ensure that we do not waste resources on items that may need to take a lower priority.
  8. Do we remember to set aside budget for the most important things? Not everything can be a priority.
  9. Do we remember to include operation and maintenance costs when budgeting? Not doing so puts all of our goals at risk, since people who were meant to be working on different goals will get dragged into O&M.
  10. Are we properly managing the signal-to-noise ratio? Wasting time on false positives is not going to help us achieve our goals in a timely manner.
  11. Are we working to keep shiny-object syndrome at bay? Sometimes management, executives, and the board can get caught up in all the hype and hysteria around the issue du jour. This can pull valuable resources away from long-term goals. Working from a risk register can help organizations manage the hype and hysteria.
  12. Are we focused on what will have an impact and mitigate risk? It is all too easy to get distracted.
  13. Are we managing a continuous dialogue with management, the board, executives, and other stakeholders? This can build confidence and demonstrate movement toward goals in a strategic and calculated manner. That, in turn, can buy fewer distractions and interruptions.
  14. Are we reporting relative metrics, rather than absolute metrics that provide no value for management, executives, and the board? For example, reporting on progress mitigating a $5 million potential loss, rather than reporting the number of alerts that fired in a given week.
  15. Are we showing our progress toward mitigating the risks that we've committed to mitigating? This means reporting progress in terms that are understood by non-security types.
  16. Are we reinventing the wheel? Our field has lots of talented people. If someone has already done something that we can leverage, we can save a lot of time and effort.
  17. Are we staying realistic? We can't all be a 100,000-employee financial company, and we shouldn't approach security as if we are.
  18. Are we working with the right partners? Often, those who specialize in addressing certain challenges can help us achieve our goals more quickly.
  19. Are we continually assessing our security posture and evaluating progress against our goals? It would be a shame to charge ahead 6 to 12 months in a given direction only to find out that it didn't bring us any closer to achieving our goals.
  20. Are we continually assessing our goals against the evolving security environment to ensure they are still the right goals? How disappointing to achieve a goal, only to find out that it wasn't really the right goal to achieve.

Ultimately, a security program shouldn't be like the horizon. We want to achieve our goals in a reasonable amount of time, rather than having them constantly drift away. While there is no simple answer to this all too-common-situation, our game of 20 questions can point organizations in the right direction.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.