February 20, 2008 - #45

Mike's Pep Talk:

In a perfect world, security begins at the beginning of time. Unfortunately, as AndyITGuy points out, the world is far from perfect.

In today's Pep Talk, let's revisit the skills that are absolutely critical to being a successful security professional. First, let's focus on the technical stuff. You need to understand web applications and a bit about web application security. That is going to be the attack vector that is most commonly used for the next few years.

Go get that JavaScript book and make sure you understand the fundamentals of AJAX and can see how an XSS happens. You'll also want to familiarize yourself with CSRF attacks.

But that's the easy stuff. As I mentioned in the 2007 Incite called ["CSO Next"] - the technical stuff is not going to determine success or failure for today's security professional. It's the ability to persuade, cajole, stiff-arm, and ultimately get the other senior managers (both within and outside of IT) on board with the need to think about security early in the process.

Back to Andy's situation because we can all learn from his post. First of all, change doesn't happen overnight. Yet with persistence and consistent effort, it will happen. Andy started with a few project managers, and then got some structural process change (his signature required to deploy an application).

As long as he doesn't position security as Dr. No or yet another hurdle to jump over, his rock is rolling downhill. It will gather speed and within a reasonable planning horizon (it could be months or years depending on the culture) security will be an intrinsic part of all technology efforts. And that is definitely a hallmark of CSO Next.

Photo credit: Gari.baldi

The importance of awareness training

Since we are revisiting a couple of Pragmatic CSO hallmarks this week, let's touch on security awareness training as well. I dug through my archives and found this survey from last year covered in InformationWeek. It's horrifying for a guy that evangelizes the need to have layers of defense deployed to stop as many attacks as possible.

YOUR END USERS ARE A LAYER. Just like a firewall, that is in front of an IPS, that is front of a web application firewall, that is in front of a network security monitor, that is in front of a database monitor, that is in front of a partially encrypted database - you want a number of synergistic layers in place to ensure that if one control fails - things don't go south. Your end users can be another important layer of defense against a world of increasingly malicious client-side attacks.

Unfortunately, your users are not born with an instinct to defend themselves against cyber-predators. They've got to be taught. And you have to teach them.

It's easier to just buy a product, or outsource a function and hope the problem goes away. Yet you know that hope is not a strategy. You need to use all of the resources at your disposal, and your end users are certainly one of them.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---