Information-related risks, threats and compliance

Dr. Eric Cole is a security expert with over 20 years of hands-on experience. He is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. He is a SANS faculty fellow and course author.

In this interview he discusses managing information-related risks in the enterprise, threat evolution, compliance, security awareness, as well as his SANS “Security Essentials Bootcamp Style” training course he’s hosting at SANS London in late November 2012.

With threats evolving at a breakneck pace and the underground working on a seemingly endless budget, what are the biggest challenges security professionals face when trying to protect their organizations? What should they especially be on the lookout for?

The biggest challenges organizations face is properly prioritizing what they should be working on and staying focused. Organizations today are doing good things that will help protect their organization long term but they are not doing the right things that will protect against the current threats. Focusing in on risk is how an organization wins. Before they spend a dollar of their budget or an hour of their time they should always ask three questions:

  • What is the risk?
  • Is it the highest priority risk?
  • Is it the most cost effective way of reducing the risk?

Organizations should be on the lookout for high likelihood and high impact threats that could impact their most critical assets.

How important is security awareness in the overall security architecture?
Security awareness is very important because it helps align and reshape user behavior. For security awareness to be effective organizations it has to be aligned within the triad of policy-training-awareness. Policy tells people what to do, training gives them the skills for doing it and awareness changes their behavior.

To move beyond cartoons and posters organizations need to tie metrics to each policy statement. Awareness sessions should focus in on the policies that receive the lowest score in terms of compliance. If awareness is done correctly organizations should see a measurable improvement in compliance with the policies.

Some advocate compliance while others blame it for many of the problems having an impact on the insecurities of today’s organizations. What’s your take on the good and bad sides of compliance?
Compliance is very good at getting the executives attention and receiving proper funding. But it is important to remember that blindly trying to meet compliance by doing the minimal amount that is required will not necessarily lead to security. However, if compliance is the stick to receive the proper focus, proper security can lead to compliance. For it to work effective compliance can be the sales pitch and an objective, but risk based security needs to be the focus in order for an organization to receive the desired results.

With the current recession and shrinking budgets, what are the most challenging aspects of managing information-related risks in the enterprise? Are there any corners practitioners are allowed to cut?
With less resources organizations are required to do more with less. The biggest challenge is trying to accomplish too much and not properly focus in on the highest risk items. In order to be successful in these challenging times it is critical that organizations make sure everyone is on the same page.

Security should have a single chart that everyone agrees to that identifies the critical assets (based on business process), threats (based on likelihood), vulnerabilities (based on impact) and overall risk. If everyone in the organization is focused and aligned to the same items, this will allow common metrics to be defined across the organizations.

Everyone can than focus on their respective areas -security can define the metrics, IT can implement the metrics, auditors can measure the metrics and executives can understand the metrics. The way to cut corners and to do more with less is through automation. Now computers can automatically do the repetitive continuous monitoring which would allow the limited staff to focus on analysis.

What does your SANS training course look like? What skills can attendees expect to acquire?

SANS SEC401 takes the student on a journey, showing how all of the areas of cyber security fit together. The following are some of the skills that attendees can acquire:

1) Understand the principles for designing a security network architecture.
2) Decode and analyze packets going across a network.
3) Integrate security throughout an organization that includes effective policies, access control and incident response.
4) Understand how the offense operates to build better defensive measures.
5) Map defensive solutions against risk to deploy the right security solutions for an organization.
6) Deploy cryptographic solutions that provide confidentiality, integrity, authentication and non-repudiation.
7) Build, analyze and security Windows and Unix operating systems that can defend against the APT.