---------- Forwarded message ---------- Date: Thu, 22 Aug 2002 20:36:13 -0400 From: Richard Forno <rfornoat_private> To: rfornoat_private Subject: [infowarrior] - An Open Letter to CEOs Regarding Information Security An Open Letter to CEOs Regarding Information Security By understanding the needs of security admins, corporate executives can ensure the ongoing security of their crucial information systems. By Richard Forno Aug 22, 2002 http://online.securityfocus.com/columnists/104 (c) 2002 Securityfocus Dear Esteemed Corporate Leaders; By the time you read this, our summer vacations will be winding down, the long days of summer will be rapidly receding into memory, and, for those of us slaving away in the corporate trenches, work will begin to pick up again. Given that summer may be a time for forgetting the drudgery of work (particularly for vacationally endowed executives), on behalf of security managers everywhere, I humbly offer this epistle as a short refresher course for our corporate leaders, as we head back to the business of doing business. I hope that this brief letter will help jog their memories as to what our duties truly are, and make it more bearable for them when their respective security managers begin to pester them with dire warnings of impending network doom and requests for ever-more increases in security budgets. May it also help our beleaguered security managers get some real support as the fall begins. Security Managers are Not Paranoid They Just Seem That Way You may think that we believe threats lurk behind every router, hub, and user, and sometimes to us it seems that way. However, we realize that repeated, unsubstantiated gloom-and-doom warnings about cyber-terrorism, viruses, and hackers will only make you ignore us, much like we ignore those ubiquitous NIPC warnings. Therefore, we pledge to only report tangible, confirmed items that present a pressing danger to the continued operation of the company. In return, we ask that you acknowledge our advice, heed our warnings, and support us in the best interests of the company. Furthermore, while you may not want us to be involved in the policy approval process, we ask to be included as trusted advisors when such items are discussed and that you allow us to make informed comments as necessary. After all, you hired us because our credentials were sound, our knowledge deep, and our abilities strong. And weıre still employed because you trust us to do the right thing. That includes giving you objective, informed advice on security matters when appropriate. Itıs up to you to take our counsel as the experts in this field and make the right decision for the companyıs best interests. Security is More than Technology Components Our three guiding principles are to serve the business by ensuring the confidentiality, integrity, and availability of the systems under our responsibility. As good security practitioners, itıs our duty to think like the bad guys, and figure out how they might cause damage to our corporate information environment. Sure, we know that our firewalls are good and are updated regularly, but simply spending money on technological solutions will not ensure the security of the enterprise. If we do not have redundancy built into our networks, if we continue to use software thatıs full of recurring security holes, if we continue to treat security as a secondary issue, our organizationsı data will continue to be at risk. Security professionals know that the people are inevitably the weakest link in the security chain. We can minimize the negative affects of human error if we have your support in designing well-designed policies and procedures. We must be able to count on your support when itıs necessary for us to implement and enforce them. Organizations place a premium on employee education and knowledge for their success, this should extend to security as well. Our calls for better security education amongst employees arenıt to fuel our ego or increase our power in the company, they are merely to ensure that security is considered and implemented throughout our corporate environment. Just as you would ask all stakeholders to take responsibility for the success of the enterprise, we would ask that all employees take responsibility for the security of the organizationıs crucial data. It doesnıt cost much to raise awareness, and in the long run, itıs a great return on investment. We think we hope you would prefer to have problems prevented through effective education and planning before the fact than through costly damage control and repair after the fact, when it will likely disrupt operations, cost more money, be harder to address, and endanger our revenue stream, not to mention embarrass us in the eyes of our shareholders and the media. The More We Sweat In Training, The Less We Bleed in Combat If you happen to wander the corridors around our work areas and see us surfing the Net, rest assured, we arenıt goofing off. If you hear our hoots of glee from the test lab when playing around with new software or hardware, trust us, weıre not playing frivolous games. Believe it or not, weıre doing research. Computer security is a rapidly changing field. New vulnerabilities are announced everyday. New exploits to take advantage of those bugs inevitably follow soon after. To be truly effective security guardians, we need to know not only what weıre up against but how to defend against it. That means we have to be on the prowl for new attack tools and hacker news, so that we can be better prepared to respond if and when such attacks occur. We take it upon ourselves to learn the tools and techniques of the bad guys, and apply them against our own systems first to see where they might be effective at causing damage to our company. Knowing that, we can then prepare and protect ourselves accordingly. This may sound a little kooky or far-fetched, and it is certainly unconventional in the button-down corporate environment, but you'll thank us when the next major virus, bug, or exploit passes us by unscathed. We Must Become A Distinct, Trusted Entity Weıre not the secret police. Our primary customer is the company and its employees. We canıt be effective without their participation and support, and that includes working well with product teams and business unit leaders. As such, we pledge to be objective, trusted third parties for the company just like the legal and HR departments and will work to earn and keep their trust by being available, easy to work with, professional, and helpful. While we may report to the CIO, unless weıre free to work with other business units and departments without multiple layers of bureaucratic stovepipes, weıll never be perceived as anything but a bunch of glorified geeks trying their best to make it difficult to accomplish anything in the companywhich is not the case. Weıre here to help, and work with people to move the company ahead, not slow it down. Weıre business assurance specialists, not obstacles to profitability. By the same token, we need the support of your fellow corporate muckety-mucks to ensure that we receive the support and respect that we need to do our jobs as effectively as possible. This may mean giving us the authority to enforce security policies. It may mean allowing us to participate in the education of the end users. It may mean giving security personnel a higher profile in the company. However it is done, by integrating us into the company and giving us the respect and status our work deserves, you will make it easier for us to do our jobs. And that can only benefit everyone. In Closing... Autumn always seems to be a time of renewal in the workplace. I hope that these few points will explain how I plan to build and administer my security team this coming year. It may sound strange, but I do want to work with you and make our companyıs information environment much more secure, so we can continue to be profitable, even in todayıs goofy market. Thanks for listening. See you by the water cooler. # # # # Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area. -- You are a subscribed member of the infowarrior list. Visit www.infowarrior.org/lists for list information or to unsubscribe. This message may be redistributed freely in its entirety. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 03:03:01 PDT