I have always found that information security professionals tend to fall into three categories: SWAT Teams, Power Rangers or Nerds with an edge (see a blog post of that name I wrote earlier by clicking here). We all play all three roles, of course, when the need arises. But we all have our tendencies.
When I go beyond just information security professionals and expand the observation to everyone who gets near information security for the enterprise, I find different categories. You’d expect that. The one I find most useful is the split between rule-based vs. risk-based approaches to security and compliance in general.
The rule-based professional wants to know what they have to do. They tend to work exclusively from checklists or project plans. The drawback of their approach is that they treat security and compliance strictly as a matter of resource allocation. If they are thorough, they tend to pass audits.
The risk-based professional wants to tackle the highest risk first. Then the next highest. They seem more driven by adrenaline. The drawback to their approach is that they can find themselves always “fighting fires” and never establishing a stable program. They spend time looking for those risks and they get tripped up when they forget to test their basic controls for effectiveness. If they are manic, they tend to look really dedicated.
Which is better?
In terms of professional satisfaction, passing an audit feels good. But so does being the hero that found a major vulnerability and shut it down.
In terms of communicating with peers, sticking up for a set of standards is sometimes hard, but it is equally hard for folks to argue with you. They sound like they’re saying it is good to break rules (a hard sell in most enterprises). On the other hand, you can look awfully smart and perhaps even a bit dashing when discussing the dangers that are out there, but you risk people tuning you out because they’ve heard your “it’s a jungle out there” risk speech one time too many.
How many times can you say to someone: “those are the rules”? How many times can you say to someone “it’s when not if we’ll be attacked”? And if you find yourself saying only one of the two to yourself, you might have a blind spot. And people might start tuning you out.
I am not trying to imply that rule-based folks don’t care about risk or risk-based folks don’t care about rules. Or that one approach or another necessarily leads to better compliance or stronger security. Execution and determination makes a security professional successful and ultimately makes a program work. That and flexibility.
In a separate earlier blog post In Defense of Compliance; I talk about using compliance as a design principle in establishing and maintaining a security program. Here, I’m digging down a little deeper and trying to describe the day-to-day mechanics of running that program and prioritizing the work.
Be rule based, except when you’re not. Keep your eye on high risks and use them to prioritize the work, except when you don’t. It’s not as messy as it sounds, but it also requires flexibility.
If you find yourself spending all your time focused on compliance with rules, spend some time doing nothing but assessing risk, brainstorming on where you’re vulnerabilities are. If you find yourself doing nothing but focusing on one high risk after another, spend some time evaluating compliance and measuring control effectiveness.
I’m talking about what makes you tick; not necessarily what you are doing. It’s a matter of changing your focus regularly to make sure you are really protecting the enterprise. After all, hackers are not entirely predictable. You shouldn’t be either.
And that’s the easy part.
When I talk above about this as a useful dichotomy for “everyone who gets near information security for the enterprise,” I am saying that this way of looking at things is a useful tool when the security professional collaborates with others (and, really, when don’t we?).
Be on the lookout for the rule based and risk based tendencies in your colleagues. You’ll notice them. You’ll hear someone in a meeting suddenly say “well-what-are-we-going-to-do-about-Advanced-Persistent-Threats?” They’re risk based (and what are we going to do?). Or in the middle of a conversation about setting up an environment, they’ll say, “we need to make sure we’re compliant.” Rule based (and of course we do).
In these cases, if they are going too far, it is the role of the information security professional to provide the counter-balance to these tendencies in others as well as in themselves.
So if someone is reducing security design to a compliance checklist, your response should be along the lines of “You’re right, compliance is an absolute baseline. It is necessary but not completely sufficient because the hackers know the checklists as well as we do. So we need to make sure we’re using dynamic risk assessment as an input in prioritizing our efforts.”
If someone is insisting that protecting against attacks from a nation state is ALL that security is about these days because, “you know, read the papers,” your response needs to be “You’re right, there’s threats out there for certain. Let’s make sure we cross the t’s and dot the i’s so we have a secure, compliant baseline to build on.”
In other words, sometimes the voice of reason is respectfully a bit contrary.