A customer took me out to lunch recently and wanted to discuss "the state of security" at his company. He proceeded to ask me general questions about his view of security, how to do patching, how to perform virus scanning, how to do spam filtering, Windows XP migrations, penetration testing, how to do network auditing, etc. I asked him why he was so interested in this topic and his response was they were recently hit by a variant of the crypto-locker virus and lost several computers worth of data.

My next question, how do you do backups and disaster recovery?

A few moments of silence and then he said he was not worried about backups or DR right now.

My counter was "backups and DR, and business continuity, are very much topics of security. You can have the best "security" in the world but none of that will help you when someone spills their drink or an electrical surge hits you at just the wrong time at just the wrong point and you experience data loss that can not be recovered. How is the business protected?"

Security, as defined from the dictionary means:

While patching, virus scanning, and intrusion detection are certainly an aspect of security, they are not all of security. Why spend money on buying protection from viruses when a simple hard drive crash could be even more devastating?

My favorite definition of security is "freedom from risk" and "an assurance or safeguard." So if we define security as "an assurance or safeguard from risk" it starts to make more sense. Ever heard of a Risk Assessment or a Chief Risk Officer? Or how about those Information Assurance degree programs now available?

Next time you go to a security meeting and the talk is about the latest software exploit and who's turn it is to stay late during the maintenance window to patch the vulnerability, ask about the likelihood of that impacting your business, question the priority the folks around the table are placing on this. Look into your last risk assessment and remediation plan, if you had one. How is the business, and also your job, protected?

*disclaimer* This document is my own and does not represent anything from any other entity. I will not be held liable for anything bad that comes of it. Conversation overview approved for reposting by my customer, thank you.

Written by Eric Wamsley
Posted: September 26th, 2014 5:17pm.
Topic: Security
Tags: Security, risk

 Eric Wamsley - ewams.net