In Security And Compliance, There Are No Shortcuts

I was privileged to have been able to attend the 2013 RSA event.  While catching up with old friends and meeting colleagues was exciting, seeing the new technologies being released is always the highpoint of RSA.  I am always struck by vendors promoting “today’s solution to tomorrow’s problems”.  Some of the newer solutions this year appear to be designed as “one simple fix” to the very complex problem of security. Unfortunately, there is no easy fix or single solution to address all security needs, and technology without proper management can create serious issues.

The people, process, technology equation

I often tell clients that I have never seen a firewall get angry at the boss and decide to quit coming to work.  I have, however, seen a number of instances were a firewall was misconfigured, or mismanaged by employees.  This truism emphasizes that companies need to ensure they employ a comprehensive approach that includes people, processes, and technology.

People: People are fallible and prone to mistakes.  Ensuring that your team has skilled, well trained, and effectively managed employees is the first key to ensuring that your security strategy can be implemented effectively.  As with all aspects of security, “trust but verify” should be the mantra for managing those responsible for security.

Processes:  When discussing security “consistent and repeatable” should be the goal of all processes.  The foundation of a solid process is the establishment of approved and enforced comprehensive policies and associated procedures.  Enforcement of the policies and procedures ensures that the tasks are being consistently repeated in an approved manner.

Technology: Firewalls, routers, IPS, and anti-virus solutions are little more than tools to support the security strategy.  Proper technology can make management of security more efficient and effective, but it requires skilled, trained, and properly managed people to configure and maintain to the maximum effect.  Ensure that your company is investing in the proper technology to tack the security issues of your organization.

If your organization struggles with security management or simply does not have the resources available to effectively manage an increasingly complex security function, where can you turn?  One of the answers may be a managed security service (MSS) provider.  By leveraging the people, processes, and technologies of a third party, your organization may be able to more effectively manage the particularly complex aspects of security such as firewalls, IDS, and logging.

How are you honing your people, processes, and technology in terms of security?
Chris Mark PCI National Practice Lead AT&T About Chris