Pragmatic CSO Weekly #37

Submitted by Mike Rothman on Tue, 2007-12-04 22:14.
::
Pragmatic CSO Weekly

December 4, 2007 - #37

Mike RothmanMike's Pep Talk:

"Jerry: Like when a man goes swimming... afterwards...
Elaine: It shrinks?
Jerry: Like a frightened turtle!" 

Seinfeld, Episode 85 - The Hamptons

Seinfeld - Shrinkage

Back in mid-October a good discussion broke out relative to what security is supposed to do and whether we can be successful. The Mogull weighed in with his "Optimistically Fatalistic View of Security" post, which made a lot of great points.

Then the Hoff decided that "security" was out, but "survivability" is in. He had a series of posts and took a few head shots given that survivability does entail a bit of a lower bar relative to the promise of "security." Probably the best and most clarifying post is this one, where Chris responds to many of the detractors. Amrit is never one to back down from a scrap, so he jumped in as well

All of these guys have good points and the reality is that many security practitioners are having an identity crisis. The tried and tested technical skills are not yielding the credibility that we need to become players in the corporate structure and to be taken seriously. Yet, many security folks would rather have a root canal without Novocaine than have to get into the political muck that accompanies operating at a senior level in a large organization.

But all of this stuff has been covered before, ad nauseum. I want to get back to Hoff's original contention that our practice should be more focused on surviving than on securing. I generally agree that the idea of working towards true "security" is a fool's errand. What we are really trying to do is contain the damage and make sure our businesses can operate. Is that survivability? To a point.

The best metaphor I could come up with comes out of the retail business. It turns out there are a long line of Rothmans that have done retail pharmacy in some way, shape or form, so I've been around Mom and Pop pharmacies since I could barely walk. One of the key metrics that a retailer tracks is "shrinkage." Or how much stuff just kind of disappears. 

I think the metaphor of shrinkage is a good one for security. We are trying to minimize the shrinkage we have due to security issues, which results in possible downtime, intellectual property loss, corporate liability, brand damage or compliance exposures. That's right, if we minimize shrinkage, we can go a long way towards achieving the "reasons to secure" as described in the Pragmatic CSO.

Another reason I like the idea of shrinkage is that it involves a decision on the part of business people relative to the amount of loss that they are willing to tolerate. You can certainly build defenses that mostly eliminate shrinkage, but that also pretty much eliminates your ability to do business as well. So it gets back to a classic risk decision. How much risk is your organization willing to accept relative to the amount of the potential loss.

Shrinkage. I kind of like that - as long as it's not me getting out of the pool a bit too quickly.

 

In this week's issue:

This week's P-CSO Tip

Zen and the art of the Audit

The day the auditor shows up is perhaps one of the most stressful for security professionals. Will your defenses be good enough? Will the auditor get what you are trying to do and how your layers make for a tight defense? But the reality is that many many professionals blow the audit, not because your defenses suck, but your ability to handle the audit is sub-par. 

In flies the Security Monkey with a number of great ideas for making the audit go smoothly. The idea of being prepared is a no-brainer, but you'd be shocked at the number of folks that basically print out some reports and let it fly. Not taking the auditors questions personally and getting defensive is another key technique. I've said this before and I'll say it again, you may actually be able to learn from the auditor - imagine that. So there is no reason to be defensive.

I associate all of these behaviors with a Zen-type existence. The auditor will show up and the auditor will find things that are wrong. You need to accept that reality and not get all wrapped up in it. Of course, you need to stand your ground where appropriate, but a few deep breaths while the auditor is in the middle of his/her examination will do you a world of good.

The best advice of all in this piece is to just BE QUIET. There is a time to talk and a time to listen. If you spend much more of your time during the audit listening, your experience will be a lot better. Or you can try the other way and see the monkey flinging dung at you for the entire audit.


Blog Post: Luck has nothing to do with it

On McAfee's rip-off "Security Insights" blog (maybe they have some insights, but certainly not INCITE), Charles Ross talks about not building security on "luck." But luck really has nothing to do with it, he talks more about knowing what's important and simulating what can go wrong. These are two very important steps of the Pragmatic CSO process. Step 1 has you go through a regimented approach to figure out what's important (and here's a hint, you have no idea what the answer is). Step 8 is all about containing the damage and that means building and practicing your incident response plan.

Luck is a strange phenomenon. I definitely believe that some of us are lucky. A lot of us make our own luck. Those of you that work the program, do the right stuff consistently, and pay attention to what's important seem to be lucky a lot more frequently - which is no coincidence.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

BUY the Book Buy the PDF