Tag Archives: risk

March 30, 2011

Security… It is Not what you do… It is How you do IT

By erinkbanks

You know that alarm system you bought? How often do you turn it on? How often do you check to see if it is working? Do you think about your habits and whether having them makes you more at risk? For instance, do you close the garage door before you open your house door, ensuring that no one runs under the garage door and into the house? When you enter in the code on your alarm system, can someone see it from the windows? Do you pay for the alarm company to monitor your system? How often do you change the code? Yes, just putting up the signs in your windows or front lawn deter people, it isn’t a guarantee.  Yes, buying the system is a big step but leaving it on the shelf does not do you any good. Stick with me here…

Recently I tweeted the comment that “security was better in a virtual world than a physical world”. I am a true believer in this statement and will continue to share the thought in my presentations and blog. The “push back” I received was not that the statement was incorrect but I used the incorrect words. This is exactly why I am not a huge fan of Twitter. It is hard for me to have a discussion about anything in 140 character bursts ala Twitter. I tweet thoughts and retweet other’s thoughts but having a discussion I can not. I certainly understand Twitter’s role in the industry and I certainly have not learned the correct process for it and have been corrected multiple times.  Live and learn right?

What I love about security is the fact that security should always be based around a discussion. Security is NOT about products. Security is about implementation and how it is implemented. For instance, you can have a secure environment with one product… a door lock. Put the server in a locked room that only has access by one person and you never put the server on the network. Now this might be idiotic but there are use cases around it. Every security discussion requires a use case and an understanding as to what risk the customer is willing to take and then a solution is built around this. But a solution does not work unless it is implemented (correctly) and continuously monitored. If you put it in place and then just leave it assuming it is just going to work… you are crazy. Security is a daily… hourly… minute… second by second responsibility and if you take your eye off of it for just a moment, you will lose sight of why you implemented it in the first place. Security is nothing without the correct policies in place.. without defense in depth. If you do not understand the infrastructure, if you don’t know the business you are trying to protect, there is nothing that can save you.

In the long run, security isn’t better in any world unless it is implemented correctly and is constantly rechecked to ensure the implementation is doing its job. There are new viruses, new attacks, new technologies, new everything on a daily basis and in a security world, you need to keep up with it. Now I still believe that security in a virtual world is better than a physical world and luckily I had already had this discussion with the customers on the day that I sent the tweet. The customers knew why I made a comment like that but to the average citizen, they may assume that they can set it and forget it but security is nothing like that. There is a language to security and a dialog that is much longer then twitter… That is why I started this blog.

4 comments   |  tags: , | posted in security

January 6, 2011

the next blog entry

By erinkbanks

The worst part about deciding to start a new blog is determining which topic you want to discuss next (at least in my opinion… so far). I started a list of things that I knew I wanted to bring up and of course RISK was one of them… how could it not be. It is what I talk about on a daily basis. I consistently stress the importance of understanding the risk associated with everything. But as I was doing my job, I came upon a blog regarding risk and it hit me… of course risk is important but what about the trust?

Isn’t trust the cornerstone to risk? Isn’t it necessary to trust your data in order to establish your risk level? How do we do that? I am not talking about PKI, I am talking about trust in the collection of the data and trust in the classification. Collections and classifications are done by software and people and we have to trust both of them. We have to trust the software is doing it’s job and that it never stops. The same is for people… we have to trust that they are doing their job and never stop. The minute that either one these fails or worse, both of them fail, our risk increases drastically… our whole foundation is rocked (wait am i still talking about technology?)

Now in actuality, it is a vicious cycle and mostly because everything is dependent on something else. We do have to trust the software and the people and the level of risk MUST be factored into the risk level. You trust someone more because they have proven to do what they say and therefore your risk goes down. They screw up once and risk goes up… it is almost like security is mimicking life. You need to build up trust with everything… with products, people, customers, data, etc. If you can not trust these aspects, you can not do any security within any setting. Trust is a corner stone to security. I am still going to push the “risk factor” but I think I have a new slide for my deck…

1 comment   |  tags: , , | posted in security

Follow

Get every new post delivered to your Inbox.