@ISACA Volume 16  10 August 2016

Corporate Culture: Is Anything More Important in a Security Program?


Corporate security culture flows from the top. The risk tolerance of a program is a direct reflection of senior management in organizations. But what about those who are not at the C-suite level? What about the corporate culture that surrounds cybersecurity, information assurance and security professionals? We are often quick to hold organizations to an expected standard, but do we ever hold a mirror up to ourselves?

It is interesting that as security professionals go about our jobs doing good and fighting the good fight, many of the fights are struggles that we find ourselves condemned to as a result of decisions that have been made. To be fair, there are times these decisions are made without input from security professionals or with consideration of a cost or operational objective. Even with that being said, it is amazing how many of us accept this situation as our fate.

The following paragraphs outline some of the top misconceptions in the industry. Because of these misconceptions, we are left with the tools that are provided by hard computer science and computer engineering efforts that are woefully inadequate in treating the symptoms, much less the root cause, of security concerns, including:

  • Malware—Many enterprises readily accept malware as an integral part of the threat profile. As a result, enterprises continue to buy malware prevention software to meet the threat. The malware prevention software does not fix anything and barely addresses the symptoms. What is disturbing is that many security professionals accept this reactive security posture. Often, this acceptance requires tolerating new malware while malware prevention vendors can address the new symptom. The IT industry is filled with products that create environments in which malware can flourish. Security professionals should be focused on the root cause, which is the products that provide malware opportunities, and not be satisfied with a reactive posture.
  • Hardening of operating systems—There is a surprisingly high number of security professionals working to set the security configurations on technology as it is being introduced into their infrastructure. This is an activity that should have been performed by the vendor and validated as part of product acceptance. Security professionals may say that their particular infrastructure is unique or that the software development requires special configuration. With the introduction of standard communication protocols and large IT product suites, we are unique in our sameness. You may choose to think your situation is unique when it is your culture that amplifies the requirements for you to perpetuate this false reality.
  • Software development—Software development can be done on an operationally configured platform. Most development shops choose not to and are allowed to do so because that is the way it has been done. Business processes are broken if you rely on penetration testing or other security events at the end of the development cycle, because, by then, the money has been spent and the products have been bought. Pulling widgets and other software in the software code base without modification is a bad idea. There is no such thing as a free text field in a user interface. Just because a field is alphanumeric does not mean all alphanumeric characters should be allowed to be entered. Open-source software can be hostile, even if it is an operating system. Developers do not need unfettered privilege in the operational environment.
  • Assessments and old security policies are prevalent through the industry—Protection strategies and policies can age well. In fact, if written at the proper level of detail, they can almost be timeless. It is their implementation that falls into disrepair. We have all encountered a security policy that requires assessment of systems prior to its introduction into the operational environment; this is a good practice. However, at scale there could be 100 iterations a day of that system to keep up with demand. The idea of assessing each one is humorous. It is critical that software orchestration be assessed at its core. It may be necessary to assess a sample of those orchestrated iterations, but assessing all of them is excessive if managing privilege.
  • Privilege—It is hard to maintain a secure state in an operational environment when developers, trainers, operators and users demand privilege in the operational environment. It is critical to understand that if one is orchestrating hundreds of secure software baselines a day across the infrastructure, the issue of privilege escalates quite quickly. There was never a time when monitoring the use of privilege through audit trails was realistic. Because of the scalability and number of privileged users using the systems, it is necessary to have proactive privilege management tools and real-time configuration management. If you think privileged users are performing without human error, you are mistaken.
  • Architecture—So many organizations operate without a coherent architecture, i.e., without an IT vision and no idea of what the data are, where data reside in cyberspace or where they should reside in cyberspace. It is hard to protect data when the data architecture and implementation of that architecture is “We have proprietary data in our computers that we want to isolate.” Where are these data? On which computers? Some organizations may say not to worry about email servers, even though a substantial amount of their electronic transactions come through email.

As security professionals, we have to understand that securing something, more times than not, means defining it first. Have you documented your security strategy, security architecture and product list? Even if it is not a stated requirement, it is a good business practice in case something were to happen to the security staff. Nothing is more embarrassing than getting promoted and having your replacement outline the shortcomings of the security program, not because it has not been implemented, but because it has not been documented.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Earn CPE at Data Classification Webinar


Source: ©iStock.com/

Data classification is essential to any data-centric security strategy. To help enterprises succeed with data classification, ISACA has partnered with Boldon James, Ltd., to present the Top 5 Tips to Overcome Executive Challenges to Implement Data Classification webinar. This webinar will take place on 11 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Bill Belcher, vice president of sales and business development at Boldon James, will lead this webinar. He will discuss how data classification can protect sensitive data, ensure compliance and identify risky user behavior that may affect the business. Belcher will also discuss how data classification can transform security culture and enhance existing security technologies.

To learn more about this webinar or to register for it, visit the Top 5 Tips to Overcome Executive Challenges to Implement Data Classification page of the ISACA web site.


Learn to Leverage the CMMI Framework at ISACA Webinar


The Capability Maturity Model Integration (CMMI) is a framework that provides best practices for suppliers that can provide consistent high-quality software in a timely manner. ISACA’s recent acquisition of the CMMI Institute provides a valuable opportunity for synergy between ISACA and CMMI. To discuss the foundation of the CMMI framework and how it affects the professionals ISACA serves, ISACA and CMMI are conducting the ISACA Presents: Building Capability with CMMI webinar. The webinar will take place on 17 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Alexander Stall, CMMI practice leader at the CMMI Institute, and Peter Tessin, CISA, CRISC, CGEIT, technical research manager at ISACA, will conduct this webinar. The CMMI framework is useful for identifying the most capable software service suppliers in various fields. The framework is used globally and by many governmental organizations. In the webinar, Stall and Tessin will discuss how the CMMI framework can be leveraged to benefit ISACA members and the global information systems and business communities.

To learn more about the webinar or to register for it, visit the ISACA Presents: Building Capability with CMMI page of the ISACA web site.


Earn CPE With New COBIT 5 Video Series


The recently released COBIT video series enables employees, practitioners, managers and executives to learn about the basics of COBIT 5 and the value of governance of enterprise IT (GEIT). Enterprises that purchase this video series can effectively train their employees on COBIT 5 and GEIT. This self-paced video series is also ideal for practitioners who want a high-level overview of COBIT 5 and GEIT, but live in an area in which there is a lack of COBIT training resources.

The video series covers the main features of COBIT 5, the interaction among the COBIT 5 principles, and insight into the COBIT Implementation and Assessment Programs. These videos provide continuing professional education (CPE) credit for those who watch them. The videos come in two packages: the power package and the lite package. The power package comes with 31 videos and provides 4 CPE hours. The lite package includes 19 videos and provides 2 CPE hours.

For more information about the video series, visit the COBIT 5—Introduction to COBIT Videos page of the ISACA web site.


Connect With Your Next Technology Role or Employee


Source: ©iStock.com/

The ISACA Online Career Fair can help you connect with employers looking for information systems professionals. The career fair is also ideal for enterprises looking to fill an information systems position. This virtual career fair will take place on 15 September from 11AM CDT (UTC -5 hours) until 2PM CDT (UTC -5 hours).

Because of the virtual nature of the career fair, you can look for jobs in various geographic regions. Employers will have the opportunity to connect with skilled professionals from around the world. Attendees can find their next career or employee by participating remotely in this career fair.

To register for the career fair, visit the Career Centre page of the ISACA web site.