There are five habits of highly secure organizations, according to Ben Rothke, Manager – Corporate Services Information Security at Wyndham Worldwide.
Rothke was about to give a presentation on this topic at the 2013 RSA Conference in San Francisco, but he gave Tripwire’s David Spark (link here) a sneak preview on the show floor just beforehand.
- Have a CISO: Somebody needs to drive security. For example, a Chief Financial Officer is critical for driving finances. Similarly, a Chief Information Security Officer is critical for spearheading the company’s security practice.
- Risk Management: Risk drives everything. The CISO understands the risks and threats the organization faces and designs a security program around that. This must be customized and not a series of standard “best practices.”
- Invest in people not products: “The cost of hardware and software purchased has no corresponding effect to the level of security,” said Rothke. A company that has great talent using open source products will be more secure than a company that spends millions on proprietary tools but doesn’t intrinsically know how to use them.
- Policies and procedures: It’s very important to have standardization across all business units and processes. You want the firewall installed and managed in one location to be installed and managed the same way in another location. “If things aren’t done via standard processes you’ll have inconsistencies and that’s where security breaches and mistakes happen. When you don’t have common procedures and common practices things are done ad hoc, and ad hoc is the enemy of good security,” warned Rothke.
- Awareness – People have to have situational awareness of what they’re doing. For example, if you don’t have effective key management all the security you have will go up in smithereens, said Rothke.