I think we might be on the same page, but if not I still appreciate that you took the time to speak up and voice your opinions and thoughts.

You’re right about security folks analyze for for technical exposures, and to some degree they need to also indicate what the technical impact that exposure might create. My point in one sentence was to ensure that the business impact (the why) and technical impact (the what) were aligned. Again I think we’re more aligned than it appears. Again, good stuff!

–Kevin

Security professionals who run tools do not make business strategy recommendations. They usually deliver technical details on the potential exposures and explanation as to how to address them from a technical perspective. It is their job to deliver every single potential exposure as a finding (after verifying these findings are not type 1 or type 2 errors), not to judge exposures for impact.

Senior management within organizations needs to review these findings and align those vulnerabilities to mission-based risk and decide if the exposure is worth mitigating (usually via an impact and cost-benefit analysis). This step is done (or should be done might be more appropriate), by those within the organization with knowledge of the mission goals and can understand the hazard these findings may present to those goals.

–Kevin

MM

You’re right, we should not stop listening to our security vendors 100%. My point was simply to state that when we’re making business decisions based off security risks, those decisions should be based on a variety of information and not just security (the WHAT). Security is just an input, not the only input. As someone who used to work for a corporation (the customer) and now as a security vendor, I’ve seen and helped my own customers from making the mistake of making a business decision just because something pops up on a vulnerability scanner (i.e., what I am saying is not the final decision, just another input for you to make a good business decision). My intent was to share this small, but important point with the community at large even though it’s common sense, as you pointed out, for most. Maybe “Focus More on the Why Rather Than Solely The What” would have made more sense, moot point now :P

Thanks again for taking the time to post,

–Kevin

I am a security professional and have been for nearly 10 years now. In matters concerning risk it is my ethical duty to present risk in such a way that provides the client with a clear “understanding” of it and the “capability” to consider the most appropriate solution. My primary security approach is to be a business enabler, not disabler. Too much security cripples business through indirect cost and loss. Most of my colleagues sing from this same hymn book.

Here are my professions Code of Ethics Preamble:

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

Are there vulchers out there? Of course! But they’re in every facet of business, not just information security.

Companies that hire security vendors should consider the WHAT they are trying to accomplish. WHAT risk are they trying to counter. Then assess they WHY. Once your done you have the pavement to get to the HOW, which will lead to the WHO and the WHEN. Perform the appropriate comparative analysis and research on similar products to ensure the right product fit. That’s just common business sense.

The title of your article may turn heads, but it doesn’t fit with your story and is disrespectful to my profession. You may want to consider changing it to “Why you shouldn’t throw all your eggs in one basket” since the article has more to do with business ethics than Information Security.

I digress…

Thanks again for your post Rieks!

–Kevin

Bruce Tucker said: “Companies and agencies can not just ‘choose’ what should be fixed if they want to be compliant with HIPPA, GLB, SOX etc.” Of course, he’s right. However, they CAN choose whether or not they want to be (fully) compliant with HIPPA, GLB, SOX etc. Of course, as with any choice, you get to suffer the consequences.

In my opinion, there’s a difference between “not having a choice” and “facing a dilemma”. A month or so ago, the Dutch health inspection published a report stating that in many hospitals, username/passwords (U/PWs) were not treated as it should (people would know each others credentials, or they would be written down). I think that this signal, as any other signal of violations of commonly used security policies or practices, should be addressed. To me, addressing such a security signal differs from “going for the first solution that makes the signal go away”. People do things for reasons, even if you’re not aware of that. You need to find this motivation, and then find a solution that both accommodates for this motivation, and makes the signal go away. Employees of a hospital told me that abiding by the security policy with respect to U/PWs, they get to put off operations once in a while because e.g. the artificial hip wasn’t available in time for the operation, the cause of which was that the person with appropriate permissions for the ordering system had fallen ill, or got an accident. Putting off an operation not only provides (psychological) damage to patients (if not worse), but also disrupts the primary process, and lowers the staff’s morale, and there’s this waiting list for patients that they need to shorten… Their solution (in general, people know pretty well how situations can be solved) however could not be implemented in the ordering system.

So here it is: there is a signal saying that U/PWs are not handled securely. There can be (at least within the operating theater of one hospital), good reasons for this. In this case, addressing the issue is making (business) choices, which is not just a business privilege, but a business obligation, specifically in what is perceived as a dilemma. Security signals are just messages to telling the business that once again it’s time to make some choices.

–Kevin