Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > 2008 > December
Up to Blog Posts in IT@Intel
Previous Next

IT@Intel Blog

December 2008
Matthew Rosenquist
0

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for December:

Be mindful of the security message you deliver to your customers and how it is interpreted

Rallying your populace to be security savvy is a worthwhile investment and must be approached with the appropriate diligence. It is not enough to haphazardly deliver security information and walk away. If it is perceived as ‘junk-mail’, it will be treated as such. Information security must be understood and applied in order to make a difference. This embrace will only occur if the audience understands not only the message, but also why it is important and the overall context. Every good communication program draws in the audience by letting them know how it applies and benefits them.

If we want to be successful, we have an obligation to understand what is being absorbed and how it is being interpreted.

Andy, ITGuy has a great post (check out the picture for a good laugh).

“How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us”.  This is key, as ultimately it is a partnership between dedicated security folks and the organization they protect.

Additionally, Mike Rothman has some great follow-up comments which I think nails the right perspective:

“effective communication is based upon the perception of the person on the other end”. Sounds basic, but how often do we ignore this fundamental principle in our rush to deliver our message?

If you are interested in good security insights, consider subscribing to Andy,ITGuy and Mike Rothman’s blogs. They mix perspective, humor, to timely issues.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

0 Comments Permalink Tags: model, matthew_rosenquist, rosenquist, defense_in_depth, information_security, optimal_security, security_training, communication, corporate_security, security, value
Matthew Rosenquist
0

Most security programs show value by either reducing the number of incident occurrences or reducing the impact of those incidents.Understanding where a program draws its value and how it fits in a defense-in-depth strategy, gives insights to where it can be maximized for optimal benefit and raise flags when expectations are mismatched with function.

 

Occurrence and Impact

Simply put, security incidents happen and they cause discomfort. Effective programs will either affect the number of times they occur and/or will lessen the negative impact. These aspects of Occurrence and Impact are important when we look at the complexities of measuring security value in the real world. It is a basic first step, but this type of framing establishes boundaries and clarifies expectations.

 

Once understood, it may be possible to measure the effectiveness to a level which determines general value and applicability. It can paint an important piece of the picture showing how the collection of security programs provides coverage to the landscape of attacks. Additionally, the big picture can identify inefficient duplications of security services.

 

Do all security programs manifest value in this way? No. Some efforts are tailored to meet regulatory, ethical, or emotional needs. For those types of initiatives, this general framework has limited applicability to measure value.

 

Intersection of Defense-in-Depth

The diagram below is an overlay of the Occurrence/Impact domains with the Defense-in-Depth categories as they intersect a typical attack lifecycle.Mapping security capabilities, tools, and services will show coverage and gaps for different types of attacks.

 

How Security Programs Reduce Losses from Cyber Attacks1.jpg

 

Defense in Depth Information Security Strategy

Information Security Defense In Depth Whitepaper is Now Available

0 Comments Permalink Tags: security, roi, value, rosi, information_security, defense_in_depth, optimal_security, model, risk, matthew_rosenquist, rosenquist

Popular Blog Posts