When we begin to plan how best to protect our systems and organizations from intruders, it helps to think of those who maliciously attack the security of our organizations as entrepreneurs in their own right–though entrepreneurs of havoc and, in extreme cases, evil. As such, they are always looking for opportunities to be more effective and efficient. That means they frequently change their tactics as they seek to perfect their skills. As security planners, we must do the same to effectively deal with these attackers; that is, we must work with greater conviction and stay as fast on our feet as they are. In this article, I’d like to highlight what I consider to be the most important best practices when it comes to security planning. By using security planning best practices, and by understanding their complex interrelationships, you can see further into the future and better anticipate our advesaries’ next moves:
” Sell security, don’t force-feed it.
Demonstrate to your organization that security adds value, as opposed to presenting security as a necessary burden. Detail the value of security in terms businesspeople can understand.
” Remember that security planning is neither an absolute science nor an ad hoc process.
Security planning is a process that must be constantly managed and optimized, hence it can never be regarded as “finished.” Help people in your organization understand that security planning is an ongoing activity, not something you do until you reach some ultimate solution.
” Achieve balance when planning.
Avoid the extreme practices of ultra-planning and nonplanning. A lack of focus is the enemy of security.
” Prioritize and focus your information and infrastructure security planning and budgets.
Regularly perform security risk and impact analyses.
” Create a cross-organizational security planning team with an executive mandate.
Manage the effectiveness of your security plan through a structured quality management process.
” Plan security within the context of business, life cycle management, and technology.
Security planners must understand the plethora of technology they are protecting, not simply the tools designed to protect it.
” Treat security policies, procedures, and training as the backbone of your security plan.
Take into account the specific needs of your organization, regularly look for opportunities to introduce needed training materials, policies, and procedures or to improve existing ones.
” Profile hackers and plan your interactions with them.
Understand that hackers have different motivations and try to anticipate which ones will be most attracted to your organization. Provide clear mechanisms that hackers or those who find security problems with your infrastructure can use to communicate with you should they choose to; for example, institute a very accessible email address on your website (e.g., security@your_company.com). Finally, train customer service staff so they know how to deal with hackers who contact them to point out a vulnerability.
” Build an incident response plan and team.
Practice your organization’s security strength by assessing its response to actual and simulated incidents.