What does an IT Security Strategy Look Like?

Hello. I am Steve, and I am here to take a look at your IT security posture. To start off, let me see a copy of your security strategy…

Sound of long beep...followed by uncomfortable shuffling of papers.

In almost every security assessment engagement I have ever been on, clients have a really hard time articulating an IT security strategy.

Really Steve, why in the #$%# would we need a security strategy? Or, they might say something like “Our security strategy is to hire a CISO.”, or “we will be more secure in 2015 than in 2014”. Worse one yet: “Our strategy is not to get breached in 2015”.

Let’s get something straight – IT security is like fighting a war. A defensive war. A war of attrition. Really evil bad guys, really nasty consequences. And, like in war, soldiers might be on the front for many months with no sign of activity followed by huge battles overnight. Some get no respite.

There are casualties – customer and brand loss of trust, fines, litigation, executive terminations, frustration, cost…yep this is a real war…

And in this IT security war – we are fighting without a discernible strategy!

So, to help you understand what I mean by an IT security strategy, I have prepared a simplistic approach outline for you to think through. If you do, you might learn something new but I am not suggesting at all that this is the only approach. It is acknowledged that the industry you are in has many facets that are not covered in this approach. I only suggest it as a starting point.

A Strategic Approach to IT Security

Know yourself, know your enemy, and know the ground, and you will win 100% of your battles.

Sun Tzu, Chinese General

To know yourself in IT security is to know a few basic things:

• To know your enemy is to know:What are we trying to protect?
• Where do these assets reside in our organization?
• What security controls do we have in place now?

To know your enemy in IT security is to know:

• Who would want our data and secrets?
• Why do they want it?
• How are they most likely going to attack us to get it?

To know the ground is to know:

• The threat landscape – all the ways you could get attacked
• The level of technology and skill needed to assess and navigate the landscape
• What is happening in the IT security space – current threats, industry trends, etc.

Now, assuming you have this basic knowledge in place, I am going to propose an approach to IT security I have arrived at after answering these questions for many corporate and government customers.

• I have observed that on average, 20% of US entities will get hacked every year.
• I have observed that a variety of attack vectors and methods are used…however, most common attacks must come through the network.
• I have observed that most businesses do not have the basic building blocks in place to monitor, detect, identify, and mitigate IT attacks.
• I have repeatedly observed that the cost of a breach is directly connected to how quickly you detect it and how quickly you are able to respond to the attack intelligently.

So, here is a sample strategy framework you can use based on these very few facts:

• We will adopt at least one major, generally accepted security framework to ensure we have the basic building blocks of security governance and IT controls in place. Picking one can be easy if it’s regulatory, like HIPAA. If you are an international entity, consider ISO 2700x. If you deal with payment cards…you have already heard of the PCI DSS.

I really don’t care which one you have to use, or choose to use, they tend to share the same security DNA. If properly understood and implemented, they can help you ensure that you have common controls and a baseline of defense in place. I will also tell you that if you think compliance with any standard will make you safe…then you aren't paying attention.

• We know that the base cost of a lost record is $213. (Ponemon Research Institute) More if it is IP, of course. We also know that there are actions we can take that are proven to reduce this cost. (Adding a CISO drops it by $10, for example). It just so happens the same things that reduce breach cost also improve security. Therefore, we will focus all of our IT security efforts on reducing that number to a target number we choose.

• We know that the biggest attack vectors are our people and our network.

• We will focus on ensuring our people are informed and ready to deal with any kind of attack quickly, for we know that the less time it takes to detect an event to dealing with that event the less the attack will cost.

• We know that we cannot prevent hackers from attacking us. We will do everything reasonable to prevent getting hacked. (Remember, adherence to a standard in point one may provide guidance in selecting common controls co.)
• We will become experts at attack detection on our systems. Our goal is to have the tools and process needed to first detect all attack events, and then defend against a detected event within 10 minutes of its detection.

Now, adjust this as you see fit to align with your industry. I hope this helps.

If you have questions, give me a call or email me at: solson@appsecconsulting.com