September 10, 2008 - #65

Mike's Pep Talk:

"It's one thing not to see the forest for the trees, but then to go on to deny the reality of the forest is a more serious matter."
-- Paul Weiss

Can you see the forest for the trees? Take a look at the picture below. Is it a thundering ocean? Or is it a electron microscope image of a piece of fabric? I don't know, it may be both.

But that isn't really the point. One of the hallmarks of the P-CSO is to think about the PROGRAM of security and to emrace the reality that the senior security professionals job is NOT to configure firewalls or ensure 99.999% AV coverage anymore. It's about managing the process of security. It's about persuading your peers on the executive team that security is important and they need to factor that into their own operations.

Per usual, Richard Bejtlich summarizes the concepts much more effectively than I could by breaking security up into macro and micro-security disciplines. I tend to work (and think and write) from the macro perspective. This is all about the BUSINESS of security. It involves positioning the value of the security program, evangelizing it, and then selling it to the folks that actually do things.

Micro-security is about what gets done. The day to day operations that drive the security process and hopefully repel the attackers for one more day.

To be clear, both are important. Many folks opt to focus on micro-security because that's what they know and they tend to feel more comfortable with their technical hats on. Even Richard admits: "I think I prefer microsecurity issues but spend time on the macro side when I have to justify my work to management."

And you can get through most days just focusing on the micro. But we need to keep in context that macro security is about more than justifying work to the money men (and women). The work you do on the macro side is about credibility. If you don't have that, you'll likely be sunk when the inevitable incident happens.

And then you'll have a lot of time to figure out the forest from the trees.

Photo credit: Bewdlerian

The Greatest Asset (and Threat)

As Matthew Rosenquist points out on the Intel blog, it's our people that are both our greatest asset and threat. That's why education and evangelizing the importance of security are so important. Your employees don't want to think about security, they want to do their job. But they can do their job with a healthy respect for attackers and a consideration for protecting private data and intellectual property, or not.

Your job is not to make their life hard, but to always be there to remind them about right and wrong. Especially when they first join the company. There I go again, talking about evangelizing and selling. If you want to focus on the micro (see above piece), that's fine - but understand that someone has to focus on the macro, bigger picture security program stuff.

Your job is also to save the employees from themselves by putting layers of defense in to make sure that even when they do stupid things, they don't put themselves or your organization at risk. But we don't need to tell them that, do we?