Evaluate your security program’s maturity before dropping money on a quick-fix “hot” product.
Evidently, there is an increasing fascination within the American psyche with hoarding, the excessive collection of items, along with the inability to discard them. This is evident in the popularity of television shows such as “Buried Alive” and “Hoarders”.
“The acquisition of possessions that appear to be useless.”
I have a basement and a garage with creeping semi-completed projects ranging from a rebuilding of a lawnmower and lattice work to a geo-cache lock box. These projects are “on hold” until I either have the time or parts required to complete them. Sound familiar? None of these are finished projects and currently provide me little to no value.
Are you hoarding these “solutions”?
There is another type of hoarding that I see almost daily, that is found predominantly in the Information Services departments of organizations and that is the hoarding of security “solutions”. These come in the form of Intrusion Prevention System, IPS, appliances, Data Loss Prevention, DLP, “toolkits”, and Security Event and Incident Management, SEIM, appliances, Network Access Control, NAC, appliances, all of which are purchased, but never fully implemented. These all sound cool, and fill gaps that can legitimately exist within an organization, but very often these do not provide the intended value, primarily because the company’s security program is not mature enough to derive benefit.
Just like a person who stockpiles purses, newspapers, or shoes might want to ask themselves if they will really feel complete by bringing another one into their house prior to picking the item up, a CTO might want to ask the following questions to gauge if they are really ready for another “solution” before spending a portion of their budget on it:
For DLP, the following questions may be helpful to ask:
- Do governing documents (i.e. corporate policies) exist within the organization that employees must adhere to? Without being able to answer this, there is no way to know what can and can not leave the organization.
- Do we have a data classification program in place to determine what is sensitive data? Similarly, if this is unknown how can you ever hope to determine what data is important to maintain control of?
Before purchasing an IPS or SEIM, to determine if the base structure is in place to respond to an incident, it makes sense to ask:
- Is ownership and custodianship assigned for information assets? If the IPS or SEIM alerts you and this is unknown, who will react?
- Has the appropriate organizational structure, reporting levels, organizational placement, role definition, and position and title criteria been put in place? This is intended to begin thoughts around determining if the organization is structured to determine who is responsible for assets in the event of an incident.
- Have sufficient resources been allocated to address the potential need to respond? If there are not sufficient resources to review the output the value of these solutions will decrement dramatically. It is better to know the answer to this question before investing capital in a product that will sends alerts to a waiting room, to be addressed when free time permits, I know for myself that free time never materializes.
- Is there a formal incident response program (IRP) in place? Again, if there is not a process in place to respond the person who receives the alerts will not know what to do, and now there will be two problems, the incident and the confusion.
For a NAC solution, it would make sense to ask:
- What are the minimum requirements that need to be applied to clients connecting to our network? And are these universal? If there is not a ready answer to this question, there is no way a NAC solution will ever be able to determine if the baseline criteria are being met.
I’m getting better already!
Without these core components, all the “solutions” are like the boxes in a hoarder’s house, providing a temporary sense of comfort, but not addressing the underlying immaturity of the development of the security program.