Organisations often pay lip service to security "Oh yeah, security is important...pass the sugar please" but don't properly fund and hence resource the information security function. Once a security incident occurs its all "who do I pay to make this go away". The unfortunate reality is that a security function is a slow moving beast, and a rapid cash injection doesn't realize immediate results.
Most improvements are made through people (new capabilities introduced) and process (repeatable documented processes for key security controls especially documented usage of built in security functionality in systems) not shiny new toys. Good information security people are in short supply and getting the wrong people can end up with your organisation stuck in "analysis paralysis" or "compliance tunnel vision". Without the right people embedded in your organisation how does your organisation you uplift processes or even understand the reports/processes written by your consultants?
If your security function is effective, will there be a reduced number of security incidents due to your effective prevention measures? Potentially there will be more security incidents discovered because you are checking logs and looking for evidence of a compromise!
If your security function is in-effective, there is likely to be security incidents, but you won't know about them! We're not in the 90s anymore where security incidents were all digital vandalism style web defacements. Attackers these days are often criminals who don't want attention drawn to their activities.
If you are a CISO or perhaps someone with a keen interest in security at your organisation I suggest you try and remember the following phrases in case of a security incident:
"Who do we task with responding to this security incident? Gee I wish we had a CISO to organise us"
"What did you say? The SOE doesn't have security patch requirements? Well let's note that for further attention".
"What an accidental misconfiguration of a system let this happen? Hmmm.. How could we perform compliance checks in future of production systems?"
"Sorry, you say that the evidence of the compromise was there in the security log all the time? How can we automated review of these logs in future and assign someone to action the alerts generated?"
"An application security flaw you say allowed this incident to occur? Perhaps we should suggest security requirements for applications in the post incident review for this incident".
I suggest you forget the following phrase "I told you so"
Really helpful down to the ground, happy to read such a useful post. I got a lot of information through it and I will surely keep it in my mind. Keep sharing. What does an information security auditor do
ReplyDelete