White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
Posted February 7th, 2008 by rybolovI’m mulling over some ideas this week. It’s probably the death-by-CBT that being a new hire has become over the past 5 years.
I work with a ton of accountants in my new job. Obviously, they’re CPAs and Uber-CPAs, and for the most part, they’re proud of the valuable service that accountants bring to their community and to the US economy as a whole. $Diety bless them, there is no way I have the patience to do what they do on a daily basis, and from what I gather, they feel the same way about what I do. However, while learning the history of the accounting profession, I can’t help but notice a couple of things:
- CPAs have some strange ideas and a rich history, cross-training has some merit.
- Accountants are obsessed with compliance. More on this later.
- Attestation that a company has not cooked the books and is headed into a downward Enron/Worldcom/Hindenburg-esque firey crash is a good thing.
- Accountants highly value attestation.
- Accountants are typically weak on planning and project management (yes, making a generalization here).
- Accountants understand risk, but only qualitative dollar risks that can be measured via actuarial means.
- Accountants perform unnatural acts with spreadsheets.
- I have to be very careful when I mention the word “controls” because somewhere in there an interpreter is needed.
And then somewhere around day 3 of CBT-Hell, it dawned on me: we’re taking the models for accounting and applying them en-mass to information security management. Explains quite a bit of things, doesn’t it?
Stop and think about the Federal government. Who is really in charge of security? Not NIST, they just write standards. The correct answer is the Office of Management and Budget (OMB) and the Goverment Accountability Office (GAO). In other words, the accountants and the auditors. It’s one of those things that make you go “hmmmm”.
Now, some of this is a necessary evil. Any good CISO will tell you that whoever controls the money controls the security, just ask a security manager who has had their budget taken away. As a profession, we’re tied to the economics of security just as tightly as the accountants are tied to the security of IT systems to maintain integrity of accounting systems. It’s scary when you think about it, although I don’t know if it’s scarier for them or for us. =)
There’s an obvious reason why we adopted the accounting models for security: expediency. In the typical CIO’s option of build-buy-outsource, we outsourced the creation and maintenance of our governance model to the accountants. And just like outsourcing to a managed service provider who has in turn offshored some of their operations, we might not be getting what we planned at the very beginning.
But now we’re getting to the limitations of using that model:
- For the most part, we are an industry driven by vulnerabilities and risk management.
- Accounting is driven by law and oversight boards.
- What laws we have are very broad because the laws cannot keep pace with the technology.
- Information security is not reported to oversight agencies/boards/whatever to the same level of granularity as is financial information. Imagine reporting your WSUS stats on your SEC filing.
- Even the accountants are starting to agree on a more risk-based model than a compliance model. The latest guidance from the SEC on SoX 404 called AS-5 is a step in this direction.
- IT has a higher level of acceptable risk on both an organizational and personal level than accounting.
- The accounting model is focused on audit and oversight. Typically this is at the end of development and/or annually.
- True success in information security management needs a full-SDLC approach.
So this is what I’m mulling over: we maybe have a need for some better tailoring of what we’re doing. What I really want is a large-scale method for security management that cuts out the parts of the accounting model that don’t work.
Not that I have an answer today, but it’s something I’m using my spare brain cycles to figure out. Who knows, maybe I’ll come full-circle and reinvent the current state. =)
Similar Posts:
Posted in NIST, Rants, Risk Management, What Doesn't Work | 3 Comments »
February 7th, 2008 at 2:50 pm
I have to be very careful when I mention the word “controls” because somewhere in there an interpreter is needed
I use the words, “Exceptions management” instead of “compensating controls” around people like accountants.
Who is really in charge of security? Not NIST, they just write standards. The correct answer is the Office of Management and Budget (OMB) and the Goverment Accountability Office (GAO)
This is so true. Performance accounting is the only way to get things done because they decide if you can or can’t do it. The whole world revolves around money, and the US government ensures we keep it that way.
Information security is not reported to oversight agencies/boards/whatever to the same level of granularity as is financial information. Imagine reporting your WSUS stats on your SEC filing
It sounds like you want to talk about this.
But you don’t really want to talk about that… do you?
True success in information security management needs a full-SDLC approach
YES! Wait, NO! True success in ISM needs to start with Software Acquisition and then move into the following triad: 1) Network/system/application hardening and system/application state knowledge (i.e. MITRE OVAL and NSA/NIST XCCDF) for known vulnerabilities, 2) Secure SDLC (i.e. MITRE CWE and OMG Semantics of Business Vocabulary and Business Rules – SBVR) for unknown vulnerabilities, and 3) Incident response (i.e. MITRE CEE and DHS BSI’s MAEC) to slow down or stop adversaries such as career-criminals, terrorists, nation state espionage, and malware/bots.
Although it’s intersting that you mention Secure SDLC because that’s my area of specialty. Have you been introduced to the CPSL concept that I write about?
What I really want is a large-scale method for security management that cuts out the parts of the accounting model that don’t work
I wrote something very complete, based around performance accounting (I think I stole the entire concept from the GAO) on Building a security plan that you should definitely check out and give me feedback on.
February 7th, 2008 at 6:19 pm
That last line sounds very “Shield of Achilles”-ish–veery nice. I wish I had a hollow leg full of spare brain cycles like you do…
February 8th, 2008 at 12:15 pm
Do you *really* want one rybolov? Because it’s going to take some serious commitment to do it right.