As information security officers, it is our job to walk the thin line of implementing (and operating) controls, and enabling our business to do what they are there for in the first place. Often we do so by implementing technical controls that somehow claim that they make us more secure. I am talking about things like intrusion prevention, log management, etc.
While it sometimes may be necessary to have an IPS, a SIEM, and all kinds of other cool technologies in place, the real value that these tools provide is gained when they are handed to a person who has the skill and time to operate them, and who is able to extract meaning from all the different alerts, warning, notifications, and traffic lights that these devices produce and the mere push of a button.
I am a firm believer two of the most important processes that an ISO should take ownership of is creating a network situational awareness process and a good incident response process. In some (most?) environment, these detective/compensating processes might even be more important than preventative processes.
When looking at the preventative side, we all do things like implementing firewall policies, building antivirus capabilities into the fabric of our desktops (and servers), conducting regular vulnerability scans, building a patch management infrastructure and conducting occasional penetration tests. And, as much as these processes are important, they are expensive, slow and painful initiatives to start.
A few months ago, I have started taking a slightly different approach, which I believe will be very successful in the long run. I have started several working groups and some tasks forces. In my thinking, I generally distinguish three main governance structures:
Committees: involve (too) many people who meet in a formal setting on a not too-frequent regular schedule. Committees have broad mandates, are not time-bound, and provide recommendations. A committee does not make decisions, but they provide recommendations.
Working groups: have a clearly defined mandate and address concrete problems. Working groups are typically focused on a large problem that may require smaller task forces to address parts of the overall problem. Working groups meet somewhat frequently in a semi-formal setting. A working group has the potential to continue for a long time, but don't necessarily have to.
Task forces: are similar to working groups, but are more focused. Being on a task force is real work. You are expected to deliver your part of the work, do it well, and do it fast. A task force will have a single objective and work towards that objective without distraction. Once the objective has been met, the task force is dissolved.
The working group of which I am expecting a lot is the desktop management working group. Desktop management is one area in which we (as security professionals) can make major gains very quickly. The mandate of the of working group spans just about any desktop issue, ranging from changing to gold images to new software requests, software deployment strategies, antivirus selection, group policies, process changes, etc.
In the few weeks that the desktop management group has been in existence, we have identified several parties who are directly affected and who did not have a real voice up to this point. Now that they are part of the working group, we have seen several improvements already.
The turn-around time to our clients has improved, as has the consistency of the response that they are getting. Internal communications have improved.
By making some simple changes, I believe that we have already reduced our exposure. In the long run, my role as information security officer will decrease to that of a participant, and a more logical role will take the lead.
However, the fact that we have this group now is something that I feel has improved our security. And that is what this job is all about.