Nick the Barber and information security
Questions and observations to help make the right information security decisions (so you don't get scalped)
By Ben Rothke CISSP, CISA and David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP
December 16, 2010 —
If you pass by Nick's Barber Shop in Clifton, NJ, you will see this sign. Nick understands his talents and the repercussions for those who do not avail themselves of his talents.
It's easy for Nick's customers to determine the quality of his work, as the results are obvious once his work is done. Based upon the confidence communicated within Nick's very eloquently written sign in the window of his shop, it is a safe bet that he has many satisfied customers.
In the world of information security, those charged with security operations, support functions and/or management probably wouldn't appreciate or even fully understand the "hard line" associated with Nick and his message to potential customers.
It is indeed a challenge to measure the quality of work that has been performed in support of preserving and protecting information assets. Some of the many questions include:
- How does one determine what needs to be in place?
- How effective are the proposed safeguards and security measures once they are in place?
- Does the fact that safeguards and countermeasures are in place equate to sufficient security for the assets?
Unlike the immediate qualitative feedback provided by observing a new haircut (or lack thereof, in the case of a bad one), measuring the quality of one's information assurance program and related controls is not an exact science.
Also read Our need for security intelligence by CISO Ed Bellis
The challenge is that many security groups have had to deal with an increasing caseload of increasingly complex projects, with less staff and budget -- all the while with management expecting security to do more with less.
With those thoughts in mind, the following are some of our general observations and questions about Information Security which should help you make the right security decisions, rather than just carrying out security theatre. Or as Nick might say, make the right cut.
Observation #1 — Bad security incidents don't happen to organizations with a good security infrastructure.Of course, this is not an absolute. But if you look at circumstances surrounding major breaches, penetrations and the like, more often than not, they are within firms that did not have effective and formalized controls in place.
Effective information security is built on risk management, good business practices and project management. Organizations that have taken the time and effort to ensure those items are in place will invariably have better security.
Organizations that take security seriously, and put the people, processes and technologies in place to facilitate that, are much less likely to be at the receiving end of a serious security breach. They are also usually in a much better position to effectively and quickly respond to a breach should one occur.