Here’s a common question I get asked a lot: “What technology should I use to secure my server/network/[some technology]?”
The question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.
I think that this question is highly inappropriate for two reasons:
- You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
- You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…
Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?
What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…
I’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!