now as I move into my role as a scissors. Oh, and I'm looking to gain information about the organization. I want to find out what's currently in place, where we are, versus where we wanna get.
And you know, the idea there is looking at the current state versus the desired state, and that's exactly what it sounds like. It's Where are we versus Where do we want to be?
So when I come into an organization, I've got some questions I have to ask now I'm not going to stop and read every single one of these. But I do think that there are a couple that need to be discussed. All right, So first question, we're looking at an organization.
Does the previous or has the previous says, Oh, how routinely did they meet with
business management? How frequently did they interact with them? Is that something that's been a part of normal operations, or would this be something new?
Um, how involved his top management, senior management in security related decisions Do they just, you know, is there ah, consideration? Do they a part in the decision making process?
Uh, what criteria do they use to approve or decline security mechanisms that have been recommended. What's their role? How involved are they?
Does management understand the different roles of security within an organization? Now, again, I'm gonna ask these much more delicately than saying, Hey, do you have any idea what goes on in your company? But ultimately these air, the things that I want to discover How would employees know if there was a security incident?
Do they have a good understanding of what constitutes a security incident as well as what to do? Should they see one?
Um, how is inventory managed? Right? Because, you know, many organizations are very careless with their inventory and, you know, we've got thousands and thousands of dollars wrapped up in her company laptops and desktops and other elements. Rounder switches. How are they protected currently?
Um, do we have disaster recovery plans
in place? What are they? How are they documented? Who's trained? Are the teams well defined or the roles and responsibilities establish? Where do we stand in disaster coverage planning? I, um do we understand what liabilities has management identified all the information?
that would violate company policy, legal requirements, standards, whatever do we understand where are valuable information is or what it is. And how is that currently protected?
When's the latest attack the organization has has gone through? Did we have a virus? Some sort of mount? Where infection was it? And more active Attack from an intruder.
Um, how often do these attacks happen?
Um, how many people are online in our network on any given day? How many different entities have access to our network?
Are we monitoring our Do we have a monitoring system in place for employees versus one for contractors? How do we segment out these non, uh, consistent users from the rest of our organization?
Do we have them segmented to their own network, their own V land? How if we divided up that
I give trust versus untrusted, we'll talk about that later, but it's exactly what it sounds like. We have a reasonable degree of trust in our internal employees. We don't trust them exclusively, but we have had,
you know, we work with them. We have policies in place for them that got through screening before employment. There's a reasonable degree of trust in our employees,
very little trust for outside entities like customers, contractors and so on. So how do we segment out There's different layers of trust,
And how do we approach security? Isn't something that we think you know has to be decided upon. Before we initially design an element made, we do software development in house. How early on in the process do we talk about security or do we developed the program and go, Oh,
we better secure it.
Let's release the patch later to go back and fix the vulnerabilities. And again, that's what is our mindset in our approach to security. When we talk about developing strategy, we've got no these pieces of information,
all right, so when I talk about questions to ask, those are good ones.
Now, In addition to that, we've also got to think about what are the pitfalls that come along with developing strategy. What are the pitfalls that keep us? We're getting honest. Ah, an actual answers to the questions that we have.
Why is senior management reluctant to change? Well, we've got a lot of different pitfalls that come in the way of us moving forward effectively. One is overconfidence.
You know what? We haven't had a compromise. Therefore we were safe. It's that old idea. If it ain't broke, don't fix it. Well,
you know, many of these mechanisms in configurations have been broken, and it's just a matter of time before it's compromised in our environment. So that over confidence or, you know, that could come from
Hey, we just bought a $30,000 firewall. We better be covered. You know, overconfidence in single mechanisms, overconfidence in technology, over confidence and skill of our team, our own personal skills. Overconfidence is a killer in the world of security. You know,
the longer I've been insecurity,
the more threats and vulnerabilities I realize there are. And the more
the more I realized that you can never rest
optimism. You know, it's that idea of all this will happen to me. You know, um, we're small organization. Who's gonna target us? We're good
optimization. You know, we hope for the best, but we prepare for the worst.
Another idea anchoring. You know, we hear one value or we have one experience, and we stick to that. It sticks in our mind. So, um, you know, if we look at
ah, five years ago and we find out that during the course of a year, we only had a single malware malware attack. Well, that sticks in our mind, right? We don't have a tax that frequently. The last time I talked about it, we only had a single attack.
Yeah, that was five years ago. The threat environment has changed directly. But if we cling to that old information, we confined ourselves locked in and making poor decisions. One of the worst ones in the thing that's hardest to fight, I think, sometimes is the status quote. This is how it is.
Because it's always been this way,
right? We're reluctant to change. Sometimes you hear that described his inertia. An object at rest tends to stay at rest, right? We just tend to be very comfortable and very relaxed where we are. So as security managers,
as information security officers, we've got to really fight that idea off.
We're doing this because we always have. Just because we've always done it doesn't make it the best decision, especially because of emerging threats, mental accounting. Sometimes people have odd justifications for how they spend their money, you know, and ultimately
because of the fact that security does not profit
an organization. You will never make a profit off of security. Now you'll prevent losing money, Absolutely. But because we don't have that direct line to profitability, sometimes it's difficult for a manager to put out an investment into security because I don't see that immediate return.
All right, the herding instinct. You know, sometimes we look at what other officers are peers, other other industries they're doing. And we tend to do something because everybody else is doing it. You know, that's kind of a one size fits all solution.
Um, as trends emerge, you know, organizations today are moving to the cloud very, very quickly, and there are a lot of good reasons, a lot of good benefits to the cloud. But
the cloud isn't sort of this panacea that fixes every problem that's out there. I gotta get to the cloud. Why? Because everybody's going to the cloud. I do it. Why? Because he's in the cloud, right? We've gotta have that mentality that says we're looking for solution that meets our organization's needs
high and then a false concensus. I'm sure everybody thinks this way. You know that idea of because I have a belief everyone else naturally would have that same belief. We find that that's frequently not true. And we need Thio.
Make sure that we surround ourselves
with people that will give us honest opinions and that we conduct risk assessments in a way that has integrity and in a way that facilitates honest opinions and honest information. You know, if I only surround myself with people that think just like me,
I'm gonna be open and they're gonna leave themselves open to the same vulnerabilities that I would.
So we gotta watch for these pitfalls And we have to make good, objective decisions as an information security officer, because again, what were ultimately looking to do is give the greatest value to business.