There's so much fear, uncertainty and doubt in the information security world today that many people have become pessimistic about the possibility of keeping all of the bad stuff that's out there out of our systems and networks, or at least detecting it in time to eradicate it before any great harm is done. I'm not one of them. I believe that with the right mix of attitude and aptitude, building a secure enterprise is within anyone's grasp. Will the security be perfect? Of course not. But I think it will be capable of meeting the challenges faced in today's threat environment.
Not that I want to sound cocky. In fact, I always find it a good idea to refer to one of my favorite quotes: "There ain't a horse that can't be rode, and there ain't a man that can't be throwed." Nonetheless, I am confident that truly effective information security programs can exist. In fact, I've seen some of them. Not a lot of them, it's true, but their very existence suggests that more organizations can join them. I've reviewed hundreds of information security organizations over the years. The vast majority were mediocre at best, but every once in a while, one comes along that restores my faith in the art of the possible. I encountered one recently, in fact. Let me tell you about it and certain attributes that make it stand out.
" A positive attitude. A "let's get this done" attitude permeates this enterprise's information security organization, from the most senior executives on down through the ranks. That kind of consistency of mind-set doesn't happen by accident. It takes a culture that supports and encourages it. Not nearly enough organizations have such a culture, and that is a shame, because a positive, can-do attitude may be the single most important element of a successful infosec program.
" Rigorous procedures. It is the practice in this organization to examine all data moving through its primary Internet ingress and egress points (including SSL-encrypted traffic). It does full-packet capture across the enterprise networks. It has solid endpoint security practices. It reverse engineers all new malware as it's found. It does much more, but the point is that the organization's security practices are both broad (social media monitoring, for example) and deep (such as malware analysis).
" Wide-ranging threat intelligence gathering. Having accurate and actionable threat intelligence is vital today. This organization has established relationships with a wide range of threat intelligence sources to help it remain abreast of new vulnerabilities, exploits, malware, etc. Its sources include product vendors, information-sharing organizations and operational security groups in its industry sector.
" The ability to make the most of its resources. It's a positive sign for all organizations that this particular infosec program is no different, in that it has to fight for its budget and resources. What sets it apart is that it gets the most out of those resources. It does this by turning to vendor support for niche expertise such as malware reverse engineering; relying on government organizations for specialized support when needed, since it is in a highly regulated, critical-infrastructure industry; and pulling in representatives from many departments for things like the incident response program -- executive decision-makers, the IT security team, personnel from the security operations center, the general counsel, representatives from corporate communications and human resources, and others.
" Constant practice and training. In major security incidents, the problem doesn't go away by simply applying a couple of technical controls. They require active and competent collaboration among many key stakeholders across an enterprise. It's easy enough to write a process document that describes how these interactions should take place, but there's no substitute for running those plans through their paces from time to time. A multidisciplinary tabletop drill can quickly spotlight process failures and demonstrate for the entire team the vital need to properly coordinate security emergencies when they arise.
" Continuous improvement. In my review of this organization, I noted several areas that could stand to be improved -- as I do for every organization I review. As I said, no program is perfect. The thing is that a lot of organizations basically ignore my feedback, though they've paid good money to receive it. Not this organization, though. My advice was well received, and I have it on good authority that it is being implemented as part of the group's continuous improvement process.
There were other things that made this organization stand apart, but these are particularly significant -- and none is more vital than the first. The others won't happen if you don't start with a positive attitude.