We hear a lot of talk about needing good information security processes, but why are they so important? Well, besides being the basis for a strong security program and compliance with regulatory guidance, they also represent the best way to get consistency across the security initiative and between silos of knowledge. Done right, good security processes halt infosec by “cult of personality”, but they aren’t infallible. Here are three things that having good information security processes won’t do:
1. Defense Without Funding – Even the best security teams often struggle to convince upper management of proper budget needs. While good security processes might help you generate metrics and real world threat insights that you can use to explain risk to your management, as the old saying goes, if they spend more on coffee than infosec, they will get hacked and they will deserve it. Even good processes can’t save you if your security team is resource starved.
2. Pet Project Sink Holes – We’ve all been there, a manager or executive has this idea that steam rolls into a project and yet is just a doomed thing to start with. IT and other parts of the business, including security, can get drawn into the vision and throw a seemingly never ending set of resources down the gullet of this project that never seems to progress, but just won’t die. Unfortunately, this another place where strong processes just don’t help. Once the project steals the imagination of the executive team, the game is pretty much over. You ride along or die. Where you can win here with strong processes though, is by defining good minimum levels of resources that your policy forbids being switched to other tasks. Then, at least, you have a base to stick to when one of the hurricanes of fail comes over the horizon.
3. Zombie Apocalypse – Nope, they won’t help you here either. Good processes tend to break down when the zombies are munching on the brains of your teams as a snack. Yeah, we know, we saw the screenplay too, but we still think that whole Charlie Sheen in grubby clothes and grey make up thing is just another tacky grab for more attention. 🙂
Seriously, other than these, good processes help with infosec. Get started on them right away, before the zombies reach the data center….