Life as a security professional is sometimes difficult, wouldn’t you agree? Most of us are damn good at our jobs, and have the best intentions, only to feel lost in the constant barrage of inputs like emails, threat alerts, spreadsheets, reports, questions from executives, questions from users, etc. Some days, something has to give. I sometimes (maybe often) miss the simple life.
- How do I (or we) contribute to the complexity in our lives?
- Can we make our lives as security experts more simple?
Maybe. It does seem a lot like I (or we) over-complicate and over-engineer things sometimes. Just try explaining what you do to someone who’s not an information security professional.
“If you can’t explain it simply, you don’t understand it well enough.” –Albert Einstein
This has always been in the back of my mind, but it really dawned on me while working with a large healthcare client (>7,000 employees) who struggles with maintaining parts of their security program. FRSecure had been working with this client for more than a year, when we were hired to help them prepare one of their numerous annual audits. We were hired to focus on year-after-year repeat audit findings, and one of those was employee terminations and transfers.
In this particular exercise, FRSecure was tasked with evaluating and testing the employee terminations and transfer process. Our first question was; “what is an employee transfer?” Seems simple enough and also seems like a great place to start. When I asked the question, I got blank stares. Nobody offered a good workable definition or “employee transfer”. No wonder we keep failing this audit, we don’t even know what the definition is! So, let’s start here.
Turns out that there are 150+ possible employee statuses within the human resource information system (HRIS). These are statuses that are assigned and managed by Human Resources, and these are also the statuses that start the transfer process. Of these 150+ possible statuses, 23 were determined to be “transfer related” and 49 were determined to be “termination related”. The remaining statuses or status changes were irrelevant to this process. Finally, we have a definition to work with.
Now that we have a definition of an employee transfer, we can begin to work through what the existing process is. To do this, we needed all of the stakeholders to come together and take things through step-by-step. We started this process evaluation with a discussion and a piece of paper, but soon discovered that the process is complicated and required more collaboration than we originally thought. We moved into a new conference room with a whiteboard. Soon the entire whiteboard was covered by a mix of green, red, black, and blue lines and boxes. Once we completed the process diagram for the employee transfer process, we broke for the day.
I stayed up all night thinking about the process problems, when it finally came to me. Here are the problems (in a nutshell):
- We need to start with the basics. What are we trying to accomplish and what are our definitions?
- We need to simplify.
- We need to formalize.
- We need to automate.
- We need to measure.
The next morning, we picked up where we left off the previous day. I started the meeting off by writing the following words on the clean whiteboard:
Simplify. Formalize. Automate. Measure.
These would be the words that we referenced throughout the day as we worked to re-process the employee transfer process. The result was a re-engineered process with twelve (12) less steps, clear roles and responsibilities, less human interaction, and built-in internal auditing (measurement) capabilities. Of course we need to implement, but that’s a topic for another article.
Implementation should lead to zero repeat audit findings, and significantly improved information security!
These same words; Simplify, Formalize, Automate, and Measure can and should apply to all information security processes.
“Complexity is the enemy of security.” The first person that I heard this from was Bruce Schneier in 2001, so I’m going to give him credit for the phrase. Bruce is a pioneer in our field (information security), and he couldn’t be more correct.
The more complex a system is, any system, the more difficult it is to secure it. It doesn’t matter if we’re referring to a software program, a system architecture, a building layout, or an employee transfer process (see above). Everything we do in information security should have a purpose. Decide what the purpose is, then figure out the simplest (yet most effective) method of accomplishing the purpose. It’s that simple.
Here’s just a couple reasons why we must strive to simplify whenever/wherever possible in our security program:
- Complex systems are more difficult to understand. If we don’t understand a system, then how well will we be able to secure the system?
- Complex systems are more prone to errors, and errors introduce risk. We are a lot less likely to encounter errors following a seven step process or procedure then we are in following a seventy step process.
- Complex systems hide inefficiencies.
Evaluate your security program and identity places where you can simplify. Good places to start looking are:
- Incident management processes
- User provisioning (new hires, changes, and terminations)
- Asset management processes
- Vulnerability management processes
- Change control processes
- Technology use throughout the environment
An information security program can be (and usually is) a complex system of administrative, physical, and technical controls. Don’t make it more complex than it needs to be and work hard towards simplification.
What does formalize mean to you?
To us it means documented, communicated, and implemented.
The rule of thumb for where to formalize processes is pretty simple. If any one of the following conditions are true, you should formalize the process:
- If more than one person is responsible for the system or process, it must be formalized.
- If more than one person is responsible for steps in the system or process, it must be formalized.
- If more than one person is interested (stakeholders, customers, regulators, auditors, etc.) in the system or process, it must be formalized.
- If only a single person is responsible and that same person is the only one interested, but the person is not expected to live forever, then you should formalize.
Pretty much seems like everything should be formalized! In a perfect world this is true, but we don’t live in a perfect world. Start your formalization efforts with the processes that are 1) critical/very important and 2) require the participation of multiple people or groups.
Formalization of systems and processes is critical to ensure that everyone is on the same page and for accountability. There is a strong correlation between formalization and.
Don’t lose focus of “Simply” when working through “Formalize”.
People are the most significant risk. Seems like everyone agrees with this statement. The reasons why people are the most significant risk seem obvious, but they are actually quite complex. A topic for another day, but for now let’s just agree that we can improve security where we can reduce the impact that people can have on our security efforts.
Look for ways to automate the process as much as possible. Automation reduces errors (assuming it’s done correctly) and improves efficiency. Automation can include any combination of scripts, programs (commercial, open-source, and in-house developed), and devices.
Again, don’t lose focus of “Simplify” when looking for ways to “Automate”.
Measurements allow us to determine how effective our system or process is at achieving the original purpose or objective. The things that we choose to measure are called metrics, and the metrics we choose are dependent on what we’re trying to accomplish.
In a perfect world, each critical/important process would be measured in real-time using automated means. Again, we don’t live in a perfect world, and we need to start somewhere. This is where we usually start:
- If you don’t already have a process in mind, then do an information security assessment to determine which process to start with.
- Map the process from beginning to end.
- Work through simplification, formalization, and automation (see above).
- Determine metrics at each step of the process that determine the success, failure, and/or effectiveness of the process. Keep the purpose or objective in mind.
- Determine how to obtain and manage the measurements, including setting thresholds
- Communicate the measurements to interested parties.
A simple example is measuring the effectiveness of the asset management process(es). Metrics might include:
- Average workstation deployment time
- Workstation deployment accuracy
- Physical asset loss rate
- Lost asset response time
- Software license compliance rate
These were just metrics that came to mind, and I’m sure yours will be much more applicable to your own situation.
We see too many over-complicated and ineffective information security programs and processes. Information security shouldn’t be complicated, and it isn’t complicated if you’re doing it right. Take the time to simplify where you can. If you simplify well, your information security program will be easier to manage and more effective.