Last week, Ross Brown posted his Four Questions to Improve Security over on the Technobabylon blog. I highly recommend checking out the post if you haven't done so already. Now, Ross' questions were targeted toward vendors to help vendors (i.e. they are questions to help a potential customer improve the security of their environment.) Anyway, so you have it without having to go to the original post (although I recommend that you do), his questions were:
1) How are you protecting the network?
2) How are you protecting applications and data?
3) How are you protecting systems?
4) How do you know how you are doing?
Now, these are useful in the context of vendor-client interaction. However, within the enterprise itself, I am oftentimes surprised at the questions that practitioners don't ask themselves. Like:
1) What does the business I support do? And how do I know when they do something that impacts security?
2) Who are my vendors and how do I make sure they handle security appropriately?
3) Where does the data come from and where does it go?
And so on. Very often, I meet individuals in industry tasked with protecting data, tasked with securing resources, and tasked with protecting assets who don't have answers to these questions. Although I'm not sure that it's appropriate for a vendor to ask them (and therefore probably not appropriate for inclusion in Ross' list), I do think somebody should be asking these things.
Posted by Ed at January 25, 2007 11:10 AM | TrackBackHi Ed,
I just came across your blog. Very nice! I agree that there are lots of questions people don't ask. I am also surprised at how rarely people ask the big picture questions, especially people faced with a new environment or scenario. Along the lines of your "additional three questions", but going back even further:
1) What mandate and policies of this organization affect security? Do they even have security policies...anywhere...or anything that looks like something close to a security policy (like safety policies)?
2) What is the risk profile of the organization, and does anyone in the organization have an idea what that means?
3) How urgent is it to get security measures in place? Often organizations start looking at security as a result of an "incident" or "breach", which drives a management need to look like they're doing something. Maybe something DOES need to be done in the short term before looking at all the big picture things like critical asset values and vulnerabilities, but maybe not.
How can you assess what the "right way" to protect a network is without these basic answers?
You're right, we should all be asking a lot more questions of our Clients and management. Then if we don't get the answers we need in a timely manner we make assumptions, document them, and move on to planning some action. Eventually, someone will be asking, "Why are you doing this?", to which we can say, "Because the lack of an answer to my earlier question indicated a need for someone to do something."
Sorry for the rant, but this may be the existentialism of security professionals. People need us, they just don't know it unless we ask the right questions.
Posted by: Scott Wright at February 8, 2007 10:45 AM