I was recently out camping in a rather busy campground. Nearby was a group of teenage girls, wrangled by mothers who overall lacked the necessary training in crisis management to keep a lid on the brood. At the same time, I was working on a deadline to get a couple pieces written, and I have to say, the challenge was immense. The noise generated by the group of 12 or so girls seemed ebb and flow at rates rivaled only by large crowds at major sporting or entertainment events.
In many ways, this is the focus we face in information security. We are constantly surrounded by noise. Different people in varying parts of the organization are clamoring for attention, or battling with each other, or just generating a lot of background noise, and yet we're expected to buckle down and achieve our objectives. My favorite whipping boy, the PCI DSS, is an excellent example of a large noise potential, providing plenty of salient details, but also generating so much volume that it can drown out your hopes and dreams.
The key to success, then, is in finding a way to cut through the noise. In my case, I was able to position a citronella candle such that the flickering light provided a source of focus that took my mind off the background noise. In other cases, however, a candle may not work. Instead, it's important to find ways to block out the "unimportant" in order to cut through to the "important." These terms are, of course, subjective, but they bear out.
Compliance today, in many environments, provides a very large source of noise. Finding focus can be a challenge. But it's a challenge that can be met. Start with key principles of information security. Are business and operational requirements understood, well-defined, and well-communicated? How's your risk management? Do you have a completely framework in place (note, this is not just asking about risk assessments, but the entire risk management program)? How's your operational security? Do you have visibility into key systems (e.g. logging, data flow maps)? Have you defined key metrics? Are you actually measuring and tracking them? Are you performing routine audits and self-assessments? How's your security testing program?
It's easy to become overwhelmed with all of these topics and concepts, but focusing on fundamentals (risk management, operational security, quality and performance) can allow you achieve clarity and focus. Aim for a successful security program and the pieces will fall into place.
(Note: this article is cross-posted from T2PA Practical Security Core)