From time to time, I like to compare and contrast the nascent
Information Security profession with more traditional and established occupations.
For example when I had lunch with a police officer friend and gave it some food
for thought.
I had such occasion the other day in a breakout session on
the topic of Incident Response. The presenter did a great job covering the subject
matter and asked an obvious question. He said, “We all know we need to practice
incident response more, so why do so many of us rarely do it?” His voice was
full of reproach. Fifty thoughts quickly flowed through my stream of
consciousness. So as to not pass out and stay focused on the presentation, I
quickly jotted down “Fire Department” and returned to the presentation.
A Firefighter is focused solely on incident response. Incident response for this profession is not one additional duty - it is the only duty. When a Firefighter is not responding to an incident he/she is maintaining the equipment, at the grocery store or training. Training to respond to an incident is the only way to get proficient. I concede a not so subtle difference between a Firefighter and an Information Security professional is the latter is not putting their life on the line when responding to an incident, only their career.
On the other hand, let us look at what any good security
office should be covering in their scope of duties. ISO 27002 will do nicely
for this purpose:
1.
Information Security Policies
2.
Organization of Information Security
3. Human
Resource Security
4. Asset
Management
5. Access
Control
6.
Cryptography
7. Physical
and environmental security
8. Operation
Security- procedures and responsibilities, Protection from malware, Backup,
Logging and monitoring, Control of operational software, Technical
vulnerability management and Information systems audit coordination
9.
Communication security - Network security management and Information transfer
10. System
acquisition, development and maintenance - Security requirements of information
systems, Security in development and support processes and Test data
11. Supplier
relationships - Information security in supplier relationships and Supplier
service delivery management
12.
Information security incident management - Management of information security
incidents and improvements
13.
Information security aspects of business continuity management - Information
security continuity and Redundancies
14.
Compliance - Compliance with legal and contractual requirements and Information
security reviews
Therefore, of the fourteen areas ISO 27002 defines as
coverage for an Information Security Office, only one deals with incident
response. Interesting, is it not? Of course the modern Firefighter does not
only deal with fires but also emergency medical calls. In fact that is their
top business. Yet, there is an interesting contrast in that type of incident
response too. When responding to a medical call, the main job is to stabilize
and get the patient to a hospital where a trauma unit takes over. The
Information Security professional has the patient from start to finish (whenever
that is), and they have to keep running the hospital while working on the
patient.
Moral of the compare and contrast? If you do not have enough
bandwidth to practice incident response often, you had better get a firm on
retainer. The other nugget of wisdom? Information Security people are asked to
be experts in many different areas and rarely given the time or resources to
become such. We also have to buy our own groceries and on our own time!