Thursday, February 7, 2013

Simple Answers To Security Complexity

One of the old adages in information security is that "complexity is the enemy of security".  The reasoning behind this is simple. Complex systems are much harder to map-out (large attack surfaces), are often very difficult to manage effectively, and the long-term behavior of a complex system is more difficult to predict reliably (vulnerabilities + fault conditions). 

This adage is less of an academic or philosophical statement as it is an observation borne out by more than a few (usually quite painful) professional experiences concerning the impacts of complexity.  Given these experiences, one might assume that we've all learned our lesson and issued a declaration of "never again". 

Except, of course, we can't really say this.  Complexity is unavoidable amid organizational pressure to   integrate, deliver, and leverage IT systems on ever shorter time horizons.  However, IT specialists aren't the only ones feeling the brunt of this. Contractual, legal, and regulatory complexity is also growing to an all time high. So much for simplicity, right?

Well, the truth is you can't manage complexity with even more complexity.  Now more than ever, managing Information Security challenges require a solid grasp of the answers to some deviously simple questions.   The answers to these questions are fundamental as they form a map to what really matters most. Three very fundamental simple questions that must be answered include:
  1. What are the mission and goals of your organization? 
  2. What does "security" mean in context to these objectives?
  3. How can you consistently generate and demonstrate value in support of these goals?

The key element with each of these questions is understanding how the mission of  your information security program fits into the "big picture" of your organization.   There is a reason, however, why these are deviously simple questions.  Finding the answers is a bit like assembling a puzzle.  Your senior executives will have some crucial pieces, but you will discover that other key insights come from line managers and end-users. Knowledge of varied business operation requirements within your organization is also essential to identifying which pragmatic security-tradeoffs both protect and enhance the capability of your organization to hit its targets.

Obviously, you build and refine this picture over time and continually adjust your security program in commensuration not only to new threats/obstacles but also to the evolution of new goals and opportunities.  Unfortunately though, many often put the cart before the horse.  They attempt to deal with complex issues (the "how') before they've attempted to gain any insight into basics (the "why").  Failures to address (and readdress) these simple questions inevitably lead to very costly and visible course corrections.

No comments:

Post a Comment