Want to get a feel for somebody? Read their blog as a start. Security expert and provocateur Marcus Ranum, CSO of Columbia, Md.-based Tenable Network Security, has this write up posted in the “events” section of his blog
“Computer security has historically been a disaster and continues to be one [according to Ranum]. Many practitioners have attempted to explain the issue in terms of risk management, failure to communicate, or lack of education. In reality, it is a simpler social problem and is not solvable by any means short of a redesign of human behavior.”
Well, with a style like this, the man can’t be accused of bland vacillation, can he? More on Ranum in a minute or two. But first, my reason for bringing him up: do you, like him, have a pronounced opinion about how a security program should be shaped? What’s the organizing principal? (i.e., protect assets first, protect the perimeter, go best of breed and so on and select a different approach for each business unit) How do you execute? (For instance, are you interested in enterprise unified threat management products that roll, say content filtering and spam protection and so on in one device?)
Some experts say drilling down on information (and how it is handled) remains the best way for an organization to frame an actionable security policy. With an emphasis on encrypting data “at rest and in motion” you can take that important step in building a workable management method.
Phrased a bit differently: This line of reasoning says encrypting through networks—that’s the “in motion” part—as well as on databases and laptops and so on, is the best foundation for all your efforts. Sure, there are issues like sudden bewildering bots or insider exposures, so called long tail or outlier exposures. (Depending who you talk to, insider exposures is, unfortunately more of a norm, but that debate is outside the scope of this piece.) In their view, this is better than too much focus on the perimeter or each piece of your systems environment. Really, with limited resources it’s a matter of emphasis.
So, what's your take and, if you disagree that information lock down is the essential problem, what alternatives do you prefer? (Perhaps, locking down individual IT assets.) From the CIO’s perspective in all of this, select, important customer or employee information needs to be both protected and handled in ways consistent with compliance.
Security not scientific
To get back to Ranum, who is credited for having been an early innovator in firewall technology, well, he’s not entirely pleased with the state of digital asset protection. That is, he thinks they could be better. (And, much of his experience has been in the ongoing development of solutions in areas such as broad spectrum infiltration detection, so he’s in a position to know.)
Back in 2006, the security expert gave a presentation to the Virginia Alliance for Secure Computing and Networking regarding what wasn’t working with security. He indicated that he’d come to notice that “there’s not a lot of ‘science’ about computer science and even less about internet security.” Or as he said in a presentation on using basic principals of scientific method to gauge security effectiveness: Penetration testing is an attempt to determine the quality of an unknown quantity [potential invaders], using another another unknown quantity [tools and techniques] and grappling with a constantly varying set of conditions. That’s too many unknowns and no baseline, in his view.
The Tenable Network CSO went on to say that the standard corporate security program is a combination of the probabilities found in traditional risk management practice merged with information about known things that are wrong about a given company’s systems. The upshot was that such an approach was both inadequate and wrongheaded. Now I add this bit not because such fundamentals are news to you, exactly, but a reminder to think in these terms as you work with your security teams. Sometimes, the basic conversations are worth having and the “givens” in the argument are worth exploration.
Although Ranum couldn’t be reached in time for deadline, I include him as a reference because, as an unusually matter-of-fact subject expert, he seems like somebody who could give you a straight answer when you needed it, and if you didn't agree with him, you'd probably at least walk having had an interesting discussion.
If you want to build a program with information management as a foundation, there’s another source that may help you with this matter. It comes from the Internet Security Alliance, a cross-industrial group of security professionals, which recently put out a 40-page guide available via registration at ansi.org , The Financial Impact of Cyber Security.
In an opening chapter, Key Questions for Your Chief Legal Counsel, the subject of running down cyber liabilities came up, including the need to begin an analysis of security posture by starting with a rundown on the legal rules that apply to information. (Including info being kept by the company, vendors, and other third parties.) In some ways this compliance 101 mindset has helped industries such as banking progress fast and far in getting a grip on their exposure profiles, whether these efforts are perimeter-oriented or content driven. Many of you get this, but in the spirit of progress, (never assumed) perfection, take a look and see what you think. —CIOZone