What’s on your top 10 security list?

I’ve always been a fan of the SANS Institute’s Top 10 Vulnerabilities list, even after it morphed into a Top 20 Vulnerabilities list. It’s encouraged other useful lists as well, such as the Top 20 Programming Errors and Top 20 Most Critical Security Controls. The OWASP Top 10 Web Application Security Vulnerabilities is just as useful — and the fact that most of the items on the list haven’t changed over the past decade is very telling. These types of lists are great for corralling consensus about what the biggest problems are so that they can be addressed in a focused manner.

My question for you is, does your organization have a top 10 computer security problems list?  If so, is the list well known by all members of IT management, computer security staff, programmers, and infrastructure support folks? If you don’t have a list — or if no one else knows about it — how can you be sure that your IT department is focusing the right amount of resources on the right problems?

[ Learn how a rough economy creates opportunities for better IT security. | Tune in to the InfoWorld Security Central channel for the latest IT security news and reviews. ]

I constantly run across organizations that do not adequately address high-risk problems; rather, they get sidetracked into solving midtier problems that are easier to crack. For example, an organization’s biggest problem might be that of end-users installing Trojan horse malware. Meanwhile, the company is pouring money and manpower into stopping remote buffer overflows or trying to achieve 100 percent patching compliance — even though these solutions resolve but a small percentage of the organization’s overall computer security issues.

Building a top 10 computer security list for your organization starts with identifying and ranking threats based on the best metrics you have. You should then get team and management approval for the items that make the final list. This forces everyone to affirm and focus on the biggest problems.

Once you’ve created your list, be sure to communicate it using the normal computer security education methods (such as e-mail, posters, newsletters, and so on) to ensure all the relevant teams are working to tackle your top security issue in their own special-interest way.

For instance, suppose JavaScript exploits are the biggest problem. The workstation configuration team can focus on locking down the browser(s) to prevent rogue JavaScript applets. The programming/development team can focus on preventing XSS (cross-site scripting) attacks in their own code. Groups purchasing new software can be on the lookout for applications that rely on JavaScript and communicate to the potential vendor about the concern of JavaScript exploits. If you don’t focus people on the big problems, they might remain fixated on addressing issues within their individual spheres of influence. A top 10 list helps everyone see the health of the forest while working in the weeds.

Tracking progress is also critical to success. Someone should be responsible for measuring the metrics of each item on the list and delivering a progress report to the larger group each year. At that time, the group should review the list to determine if any problems can be removed and if any newly growing security issues should be added. If metrics grew worse for a particular item, the team will need to devise a new plan of attack, perhaps built around effective strategies used to combat problems that have been knocked off the list.

Once created, your top 10 computer security list will likely never go away; rather, items will move around or be replaced by other more pressing issues. However, this is an idea that gives the organization a means of focusing on the most important ways to reduce risk and to draw a virtual line in the sand to measure against each year.

Related content Good security in recessionary times A rough economy can be a good opportunity for your company to pay attention to the basics of IT security

The killer app for mashing malware Security software needs to take a multipronged approach to stopping Trojan horse executables

The one essential truth of computer security Unless you solve the all-important problem of locking down end-user PCs, all of your other security defenses will fail you