Matt Rosenquist, Information Security Strategist at Intel, says that measuring success in the security industry is difficult, since there isn't a perfect tool for measuring what doesn't happen. In this podcast, Matt talks about how Intel approaches security. How is measuring security programs any different than other IT or production programs? The heart of the problem is in trying to measure what does not occur. Security initiatives strive to prevent loss. So in effect they try and make something not happen or to lessen the outcome. And if something does not occur, how can you measure it?
Discuss this topic and more with Matt in his recent blogs:
The Problem of Measuring Information Security
Managing the Effort to Measure Security
Practical Aspects of Measuring Security
IT@Intel Blog
Previous Next
Matthew Rosenquist
in response to: BryanGriffith
Great question Brian.
My advice is to keep it practical for the audience and be sure to communicate as one-of-them, instead of a standoff security authority. Obtaining the cooperation from end users is a key success criteria for a healthy security program. It is best to appeal to their logic and common sense than their fears. Here are four points which I would discuss (emphasize discuss - open a dialogue) with your audience. The more informed about security they are, the easier your job will be.
1. Security procedures should be outlined in the corporate policy. It is an expectation of employment, applicable evenly to all levels within the organization
2. Good security practices reduce the overall risk-of-loss to the company, preserving net profits, and thereby keeping the company strong. This is important to those organizations with profit sharing, retirement plans, etc.
3. When company systems are impacted by a security event, many people can be affected with the burden of more work. It is no fun when the email server goes down or the network is grinding to a halt. It makes for more work and more frustration. Being secure equates to less work, when considering security incidents
4. Most importantly to the individual, being secure keeps their stuff protected and available. Nobody wants to have their system crash, lose an important spreadsheet, or have to turn in their computer to the office tech to get a virus cleaned. I have seen people actually cry when they are told their hard drive is unrecoverable or their email folders are forever gone. Security programs are “only as strong as the weakest link”, it is a teamwork effort. All employees must comply with good security practices, or they are risking not only their work, but that of their coworkers as well
Barry White
I run 4 computers on my home network and I like to think that I have a good eye for strong desktop security applications. Keyword here “like”. I bought a program foolishly without checking reviews and blogs first because the site advertised it as an all inclusive antivirus software application. To my dismay there is no Vulnerability Management Software packaged in and virtually no IIS protection.
What can any of you out there tell me about good rock solid endpoint security programs? I feel like I’ve wasted to much time already on security research which hasn’t turned up anything for me aside from that rip off of a program that I bought. Has anyone seen any free trial appz that I could try? You input will be appreciated!
Matthew Rosenquist
in response to: Barry White
Barry,
Although I cannot name any specific products, as it may be construed as a corporate endorsement, I can provide some general recommendations.
As you own and manage the systems, you have an advantage over large organizations. You can easily install multiple tools concurrently and compare results. In this competitive market, most security tools allow for trial periods. I do this myself at home and over time will find the best solution for my personal network.
Be sure to maintain a good defense-in-depth strategy for all your systems. At a minimum, keep your systems patched (both OS and applications), have anti-virus, personal firewall, and adware/spyware solutions. If you are having problems after those controls are in place, look for additional tools like a vulnerability scanner and maybe even a network sniffer.
http://communities.intel.com/openport/blogs/it/2007/10/29/defense-in-depth-information-security-strategy
For home networks, I believe keeping up to date on OS/application patches in a timely manner, in combination with continually updating AV, firewall and adware/spyware should provide adequate security. However, only you know your network, what applications and services you are running, and most importantly what level of security you desire.
Lastly, when evaluating the effectiveness of security tools, be sure to choose mature products from trusted developers and download portals. As you mentioned, doing research on customer blogs and reviews is very valuable. Look for tools which regularly get updated with signatures, as a stale security application rapidly loses its effectiveness over time. Finally, choose products where the interface makes sense to you. Nothing worse than installing something and not knowing how to use it, interpret the results, or be intimated by it.
Jim Hietala
Matthew,
Kudos on the ROSI white paper, very nice. I am working on a risk management training course, and am looking for a "real world example" or two, on risk avoidance. Any chance I could reference some of your material? In particular, the case study would be very interesting to reference, as it describes the expected effect of security investments based upon actual incident data.
Regards,
Jim Hietala
Matthew Rosenquist
in response to: Jim Hietala
Jim,
Feel free to use the whitepaper. The reason Intel has created the communities site is to share information and learn from others. We are striving to bring people together and have everyone contribute. In that spirit, feel free to use the whitepaper and I would encourage you to post your own ideas and experiences across the blog forum for everyone's benefit.
Excellent video. Do you have any tips for small businesses who need to communicate the value of security to employees who resist the necessary procedures?