In order to build a house or any type of a building that is going to last, a structure that you will be safe in and you can allow people you know to reside in it needs to be reliable. As George Hinkley said; “you can’t build a great building on a weak foundation.” This is an important concept because to have a successful security posture you have to start with this firm foundation.
This is unfortunately usually not the case. The building of a security posture is more or less an afterthought in most cases. Instead of careful planning and a measured and step by step approach with careful testing and verification along the way what we really see are mostly ad hoc weak attempts at data security resulting from when there is all of a sudden a security problem.
How It Really Is
The typical security infrastructure goes something like this. Give or take a few details it starts with a perimeter security to protect us from common attacks from the internet a firewall. Then we add software based defenses such as anti-virus, anti-spam, and anti-malware. But these are only added as the viruses, worms, spam, and malware became too big of a problem. Then there is a reaction to add the bare minimum of software to alleviate the problem. Then there are email attacks, possibly someone hacked your company’s email. Now you come up with some type of email security to protect your exchanges. Maybe some email encryption.
At this point, you find out that your system got attacked right through that great firewall that you had installed on the perimeter. Shouldn’t it protect you? Well, it was actually a pretty good firewall six years ago when you bought it. The firewall is so outdated that it doesn’t even see 1/3 of the sophisticated attacks of today. Why did your firewall vendor not tell you this? And why did your IT staff not warn you about these possibilities, because it is not their mandate to determine your security infrastructure. It is their responsibility to just keep things running for the least cost. Consequently, the challenges just continue to go on from there but I am sure you can see the pattern.
How It Should Be
Instead of waiting for the next attack to determine what to do next. A better solution is to build your security infrastructure from the ground up. Start with a good foundation, and once you have a good foundation in a building the next thing you do is frame the building if you want it big and strong you use steel. Same with data security, you need a foundation, start with your security posture. This is the strategic statement about how your security should look like and how you want it to be moving forward. A statement about what your goals are with security.
From this security, posture came your security policies. These are the tactical statements definitions and instructions that will be determined by management on how to implement the correct security solution. Your security posture and security policies are irrevocably tied together in unison. They are the framework of your building. Luckily you do not have to reinvent the wheel. The presidential executive order back in 2013 actually spelled out a framework, with guidelines, best practices, processes, and methodology. From this framework, you can build your foundation and your building. This framework came from NIST National Institute of Standards and Technology and it is a very effective guide. It is still only a framework the work of putting this framework together with your own management policies and goals will still need to be done. There is, however good organizations out there that can assist with these processes. An issue we will talk about at length in another post.