Thursday, September 18, 2008

The Peanut Butter and Jelly of Information Security

I had the opportunity to give a presentation today to a class full of future information security professionals. Well actually they're just some college students that though information security might make an interesting elective course, but maybe one of them will grow up to be an information security professional. I was talking about risk management and how the process should work in theory and some of the major problems that exist in the practical application.

I've heard it said and read in several places that information security is risk management. While I do believe that risk management is a large part of information security, I do not believe that it is the whole thing. So at the begining of the class I said that risk management and quality assurance are the peanut butter and jelly of information security. Looking around on the Internet, I don't see a whole of attention being paid to quality assurance and the role that it plays in information security.

Consider the case of computers that we image and deliver to the customer. In some cases, due to flaws in our processes, computer can go out with software that is a few releases behind. In other cases, not all of the operating system patches were applied before the machine was delivered to the customer. This creates a security problem for me. There you have it, a lapse in quality results in a security problem. The same point can be made for just about any software bug out there...a lapse in quality results in a security problem. So information security professionals should spend some time thinking about ways that they can improve the quality of their processes because that will have a positive effect on their organizations security posture. I call these "synergy projects" because they improve information security, and they provide improved customer service. Two different groups benefiting from the same project. Sweet.

There is another great benefit to attacking security problems using the quality assurance angle. The elusive and ever distant quest to show Return on Investment (ROI). For the sake of this discussion I'll use the term ROI to mean "yes this is a good project." In real life I feel that ROI is flawed and that we should be using something awesome like Net Present Value (NPV) whenever possible. If I wanted to buy some whiz bang product that would ensure that patching was up to date on all of my machines, I might find that I have a difficult time showing that this is a good use of the organizations money. First I would have to show that we are suffering some kind of loss due to machines not being patched, and then I would have to show that that loss is great enough to warrant purchasing my new toy. However, instead I've found that we can improve our process which results in a higher quality product. We will have fewer support calls to deal with and that will free up staff to provide faster service and give us happier customers that want to give us more of their money.

I guess what made me think about writing this was a blog post that I read over at Spire Security Viewpoint (http://spiresecurity.typepad.com/spire_security_viewpoint/2008/09/can-you-get-roi-from-reduced-costs.html). In this post the author asks if security projects can show ROI because they are not revenue generators. IT Security is going to be a cost center, and so there is debate as to whether or not we can show ROI. I say that we absolutely can show ROI if we can find projects like these where we can do more with less and bring in more customer money while at the same time fixing security problems.

Risk management is never going to go away in our line of work. No matter how much quality you infuse into your processes there are still going to be people that will try to intentionally break into your systems and infect your machines. And at some point you will have to make the choice to spend a lot of money to reduce the risk or accept the risk. However, I think that we should all take a moment to see if there isn't a project in our organization that could use an injection of quality assurance and see if that injection doesn't lead to an inexpensive and significant improvement in security.

No comments: