Having performed assessments on organizations with multi-million dollar budgets and managing projects to the same, I have been able to see a trend. In the beginning I wasn’t quite sure what “it” was and I always focused on believing it was a lack of Policy understanding by Technical people and the lack of technical objectives from Policy writers. I realized stepping back that the problem existed outside the understanding. There continues to be failures in this area and it is no longer a finger pointing game. For those in the industry long enough you know Cyber Security people for the most part – are biased. They believe that anything that appears before them having a familiar stench – can be cleaned up “the same way they handled it last time!” This is a falsity, as there is never an exact duplication in dealing with Cyber Security activities.
So what is the fix action – Not Re-creating The Wheel:
Project Management has been around for a while and although Security is a process, you will achieve more success handling it in a projected manner. There is success in structure, Fluidity is not the same as Flexibility, it is a sign of a lack of professional experience.
I have seen too often smart infrastructure and system administrator types move forward on installation, upgrades, and initiatives with no direction. They don’t know there customer, they don’t know the operational impact, and they don’t have an idea where the requirement began and where it will end.
The reason, they have never formalized the processes. Understanding the risk, will ensure you researched all of the previous. The “Who” in who is going to perform the work is based on who knows the most about something similar – failure. Funny thing, is the argument is always that the input required for project planning takes too long. Incorrect, recovering from an outage, handling customer complaints, saving face to external agencies & reputation recovery take much more time and are overall more detrimental than stratifying efforts.
Handling incidents is the same. According to ENISA Incident Handling, has been refocused to Incident Management. The organization produced the latest guidance in 2011. In it, the document references frameworks, workflow, and lifecycle – interestingly enough these are commonalities in Project Management Bodies Of Knowledge. A Security Operations Center assessed in the past would take in tickets from customers and “that ticket” became case law. By this I mean any ticket that came in with a similar feel went straight to the conclusion/recovery stage. Relating it to Project there was no real initiation, planning, execution and the only control came through a ticket management system. The team also relied heavily on creating metric by review rather than utilizing the systems established metric capabilities.
Turning Cyber Security Processes into projects will be a difficult sell to many members of a security team, but I believe the long term benefit will better help organizations in SOP creation and moving forward.
I would like to know of incidents where you saw success or failures using this approach.