All this week I will be posting notes from the RSA Security Conference taking place from 27. February – 3. March 2012.
Day one of the conference consisted of a half day seminar on the topic of building a security organization. The five presentations were geared mainly towards CISOs and each of the presenters are currently or have been CISOs in the past. I attended this session hoping to hear what CISOs are considering when setting up an organization, what their priorities are and what their vision of the future might be so that I could hopefully understand what opportunities might be available for me as a solutions architect in supporting their efforts.
A main theme running through all of the presentations was the alignment of security policies, strategy and initiatives with the business. The CISO must take the time to understand the risk profile and risk tolerance of the organization and be able to propose policies, strategies and initiatives that are in line with them. Just following regulatory requirements or implementing so called “best practices” will not cut it. Regulators are looking for this understanding of what the risks are and want to see initiatives and policies in place to mitigate the risks.
Associated with this is the understanding of the appetite for change within an organization. Proposing too much at one time could overwhelm stake holders and you may get nothing approved. It is better to prioritize and propose actions in small doses, building confidence and credibility along the way.
One of the key factors in this alignment and also a topic in each of the presentations is the use of security metrics and reporting. Done right, reporting on relevant metrics can go a long way towards showing the value of the security program and its progress over time. Reports should be tiered to show relevant data to each type of stakeholder, from the Board down to the operational teams. Having a one-size fits all report won’t work. Above all they should add business value and be explained in a language appropriate to the audience. Of course Andrew Jaquith’s book “Security Metrics: Replacing Fear, Uncertainty, and Doubt” was referenced a number of times and he will be part of a panel discussion later on in the week. The book is a must read (yes I own it and have read it 🙂 ) for anyone planning security reporting or secuirty presentations for customers.
When asked about what parts of the security organization should be outsourced and which not, the panel agreed that oversight, governance and strategy should be kept in-house. Routine operational tasks and tasks where expertise is either unavailable or too expensive to keep in-house should be outsourced. Some examples are IDS/IPS monitoring, source code analysis and penetration testing. Interestingly, SIEM and desktop security got mixed answers since the panel was not convinced that an outsourcer would have a good enough understanding of the risk profile of the customer.
All in all this was a good session to start the week off. Given the number of technology companies which will be on display this week it sets the right tone, even if there were not earth shattering revelations.
Leave a Reply
You must be logged in to post a comment.