Report Card: 2007 Incite #1 - Get with the Program

Yes, it's that time of year again. It's acountability time. Over the next 5 days (culminating in the New Year's Eve spectacular!), I'll be critically evaluating all of my 2007 Incites (that's my vernacular for predictions) and giving some perspective of what happened, what didn't, and why.

So without further ado, let's jump onto Incite #1.

Incite #1 - Get with the Program

As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-1-get-with-the-program
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-9-2007

Final grade: B+

It’s tough to be a security professional nowadays. The attack surface continues to expand, the vectors are multiplying, the bad guys are getting more and more innovative, and it’s still not clear what our main objectives are. So is all the news bad?

Actually it isn’t. I’m not going to blow smoke in your backside relative to how much progress security folks made in 2007, but the reality is the folks that have adopted a programmatic approach are in much better shape today then they were 12 months ago. Nothing is going to be a panacea relative to getting more relevant with your senior team besides good, old-fashioned hard work and effective, outbound, proactive communication.

The Pragmatic CSO approach and philosophy works. I’ve gotten enough feedback from both early reviewers, as well as some folks that are using the process in practice to know that it works. But you have to do it. You have to get out from behind your desk and work the program, building relationships with the senior team, monitoring your environment, and taking care of all the steps in the program.

I’m very excited about what Pragmatic CSO – Year 2 will bring. There will be more ways to access the content, more assistance in implementing the program, and ultimately more success stories. But as with everything else, you have a choice. You can certainly continue doing what the vast majority of security folks out there continue to do - which is to continue to react to every situation, pray that your bosses understand what you do, and keep your resume fresh - so you can move onto the next job before the hazards of the present job catch up to you. Remember, you don’t have to do anything different - I hear the status quo is working out well.

Relative to security management tools, most end users remain disappointed at how much time and money it takes to make the existing generation of security tools add value to their environment. But that never stops the entrepreneurial bug. Now there are new “risk management” offerings hitting the market and others positioning into the GRC (Governance, Risk and Compliance) space - whatever that means.

GRC tools promise to “automate” the compliance reporting process and maybe even associate security controls with risk. I’ll remain skeptical until these tools become easier to use for companies below the Fortune 100. So at least some companies are trying to make some progress and help with the onerous reporting requirements of today’s regulations and audits, but 2008 will still be an early adopter year for GRC, as the market figures out what needs to happen and then how to solve the problem.

Check out the other posts in the Report Card series.