Do It Yourself?
By Brian Boyd (CISM), Director at i-confidential
Have you ever noticed that wee arrow that sits next to the petrol pump symbol in your car? It tells you which side your fuel cap is on. I’ve been driving for nearly 30 years and yet it didn’t even register with me. I can’t tell you how many times I’ve pulled into a garage forecourt on the wrong side. If only I had known…
Managing an organisation’s security can be like that. There’s so much to understand that sometimes you miss things. In my previous article, ‘Let’s be more positive about Security’, I discussed how important it is to have a baseline understanding of your security position.
But how do you do that if you don’t know all the things you need to look at? A popular option is to get a professional organisation in to carry out a review. For now though, I’m going to focus on an alternative - the DIY route.
Before embarking on this journey, you need to ask, ‘Do we, as an organisation, have the skills to carry out a review?’ Thinking about this question first will dramatically increase your chances of a better result at the end. What follows are some things to consider.
Where do we find someone to carry out the review? Usually, much of the knowledge to review an organisation’s security sits, not surprisingly, within the security team. Those individuals, however, will probably need to review controls that they’re also responsible for running. Take into account any conflicts of interest and be careful of confirmation bias - more on this later.
They will also need to look at controls run by other teams, such as infrastructure or applications. Will a member of the security team have the skills to review multiple areas of the organisation? Can they understand what is being said? Many people end up specialising in one aspect of security. For a successful review, you need to be familiar with not only the individual controls, but also how they operate together.
You should also ensure the individual understands good practice for security controls, both within a traditional security setup, and within the other teams that run them. And it’s preferable that they’ve had some security exposure in multiple organisations to put the effectiveness of any controls into context.
In line with this, consider whether the individual has the necessary experience to carry out a review. Have they ever reviewed anything before? Do they know how to plan, gather information, and present the results?
Don’t underestimate the importance of gravitas. Being senior enough or even just confident enough to challenge other teams for the right information is vital. The point is to keep in mind how the individual will be seen by those he or she is reviewing.
Again, watch out for confirmation bias, where you focus on information that supports what you believe, and ignore relevant facts to the contrary. It’s a common issue, and it can get worse the further up the hierarchy you go. It’s important that the review remains balanced and impartial.
It seems like a simple thing. Pick someone to review your security. Unfortunately, it’s not simple at all. You need specific skills, wide experience, a good understanding of local politics, and a strong awareness of any conflicts of interest. Remember that the goal is to get a baseline view of your entire security position. The person or persons you chose to do that will have a major impact on whatever results you get.
Focusing on people is the first important step. The next step is what you assess yourself against and how you actually carry out that assessment. More on this in my next article.