How can you Manage Multiple Security Opinions in your Business?
We want to make sure that we’re looking at, and managing the opinions of all the auditors. If NIST has an idea, then we’ve got DoD contractors who have a different set of ideas on top of NIST, and are somewhat conflicting with it.
We have others that work for the IRS and they just do their own things – kind of way out to the side since they got hacked not too many years ago. You’ve got PCI and then you’ve got all of your academic standards. At the end of the day, what do they all mean? It’s a bunch of ideas, no one says, “Here’s what you need to do first, second, third, fourth and fifth.
I look at that outcome and the first thing written on there reads, “You need a half million dollar DLP system.” Then we’ll go in and look at it and say, “You don’t actually have a firewall. You’ve got something like a 1990 Cisco Pix with all the ports open. There is no firewall here.” You need to go in stages, so what we’re going to tell you when we come up with a plan on how we can drive your security forward, is that DLP comes last. If you’re ready to spend that half-million dollars, great because you need a lot of work before that thing will even be useful, or even be able to function.
If you don’t have a plan, and if you can’t show you’re measuring it, then when you have a government-style auditor come in . . . they don’t care. They’re going to want to know that you did whatever that SOC audit said, or the NIST audit said, or the accounting audit firm said. But, if you can show that you’re measuring it, then we’ve yet to see one that doesn’t say, “Oh wait, you’re actually trying, and you’re actually paying attention. Okay, let’s talks about what your action plan is, that makes sense, let’s do that”.
What we find is that, internally, it’s very difficult to do this. One reason is because if you’re an internal security officer, you work there. At the end of the day, if you’re going to yell at the executive staff for making exceptions for themselves, then you’re going to be yelling at your boss. This doesn’t generally work very well. In a lot of organizations, that security officer works for the CIO – who works for the CFO – who is maybe a couple levels down from that C-Suite where, in some cases is where the issues are starting when it comes to security.
Unless you measure security, you have no way to know how well you are managing it. In-house teams rarely have time to proactively manage security and measure results. If you would like to learn more about how to deploy the latest Defensive Innovation within your network contact: firstname.lastname@example.org.