In previous articles, I wrote about common information security misconceptions and mistakes organizations make. As valuable and occasionally humorous as those mistakes can be to learn about, the real payoff comes when you understand what proactive steps to take to prevent your organization from making those same mistakes.
|View the Entire Series|
Misconception No. 2: Believing the Hype of Technology and Tools
Misconception No. 4: Assuming Secure Software is Costly
Misconception No. 5: The “Recency” Trap
If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.
Below I provide six practical tips to get you on your way. Of course, every organization’s mitigating controls are highly contextual, so adopting all six may not be right for you. But if you follow these, even just a little bit, you will be much more informed about information security and better equipped to make decisions on time and resource investment.
This short, six-step plan will help you to integrate security into your information management and application lifecycle and each is a short-term investment for a long-term gain; the best of both worlds as security is fast becoming a non-negotiable business requirement that your customers are demanding.
How to Avoid Mistakes: Six Good Practices
1. Make a Self Assessment
This is quick and inexpensive. It means going through a check list to see if you have incorporated application and information security into your risk management framework and determine whether you have integrated security into each phase of the software development lifecycle.
It is a very simple meeting with your VP of Application Development to have him or her list the different phases of their specific software development process. Then ask how they handle security at each phase and determine whether or not the outputs of those activities are usable in your risk management process.
If the outputs aren’t useful, perhaps you should be measuring something different. In most cases, the answers you get will be something like, “Well, we’ve just started thinking about how to integrate security into our application development, so we don’t really have anything tangible for you at this time.”
That’s OK because that would be an ideal time to discuss your needs with that team. Bridging the gap between application development and risk management is a highly valuable activity and it can be jump-started by this simple self-assessment.
It’s a simple checklist that will give you a quick gap analysis as to where you stand on the information and application security maturity model (see figure 1 on Page 3).
Threat modeling is also an important and valuable step in a self-assessment. It is a more mature and sophisticated approach than the checklist mentioned in the previous paragraph, but the payoffs are substantially greater.
Threat modeling, at the business level and the application level, is part of a risk analysis and risk management that allows you to identify where the biggest threats are to your business. This is the Sun Tzu approach of “To know your Enemy, you must become your Enemy.”
The basic idea is to define a set of attacks or negative scenarios and assess the probability, potential harm, priority, and business impact of each threat. This can be done at any stage, e.g., design-through-deployment and yields more valuable results the earlier it is applied. You may need help on your first couple of threat modeling exercises, but there are plenty of good information security consultancies that can provide this.
When you develop a threat model it becomes a tangible, persistent asset for your organization as well. If a new vulnerability or a threat is detected, you can reuse your threat model to determine whether or not you are at a risk increase, decrease or static. The threat model can help you avoid falling into the Recency Trap and will tell you whether or not a newly-identified threat is already mitigated in your system.
2. Believe the Application Security Hype
This is an unfortunately necessary action as there is a lot of hype and fear out there that vendors and media are spreading unnecessarily. However, the application security hype is very real and we have seen it from recent and past headlines: the Lexus-Nexus breach, the recent problems at TJX, and even the incidents at T-Mobile and CardSystems were all information security incidents caused by application security holes.
So how do filter through the chaff to determine what is real and what isn’t? One thing that can help is to focus on the application layer. The network and systems layers represent less than 30% of all security vulnerabilities (according to Gartner Group); this number is less than 10% according to NIST.