Three Things Good Security Processes Won’t Do

Tuesday, March 15, 2011

Brent Huston

E313765e3bec84b2852c1c758f7244b6

We hear a lot of talk about needing good information security processes, but why are they so important?

Well, besides being the basis for a strong security program and compliance with regulatory guidance, they also represent the best way to get consistency across the security initiative and between silos of knowledge.

Done right, good security processes halt infosec by “cult of personality”, but they aren’t infallible. Here are three things that having good information security processes won’t do:

1. Defense Without Funding

Even the best security teams often struggle to convince upper management of proper budget needs.

While good security processes might help you generate metrics and real world threat insights that you can use to explain risk to your management, as the old saying goes, if they spend more on coffee than infosec, they will get hacked and they will deserve it.

Even good processes can’t save you if your security team is resource starved.

2. Pet Project Sink Holes

We’ve all been there, a manager or executive has this idea that steam rolls into a project and yet is just a doomed thing to start with.

IT and other parts of the business, including security, can get drawn into the vision and throw a seemingly never ending set of resources down the gullet of this project that never seems to progress, but just won’t die.

Unfortunately, this another place where strong processes just don’t help. Once the project steals the imagination of the executive team, the game is pretty much over. You ride along or die.

Where you can win here with strong processes though, is by defining good minimum levels of resources that your policy forbids being switched to other tasks. Then, at least, you have a base to stick to when one of the hurricanes of fail comes over the horizon.

3. Zombie Apocalypse

Nope, they won’t help you here either. Good processes tend to break down when the zombies are munching on the brains of your teams as a snack.

Yeah, we know, we saw the screenplay too, but we still think that whole Charlie Sheen in grubby clothes and gray make up thing is just another tacky grab for more attention.

Seriously, other than these, good processes help with infosec. Get started on them right away, before the zombies reach the data center...

Cross-posted from State of Security

Possibly Related Articles:
8452
Network->General
Compliance Network Security Security Infosec Processes
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.