EDITOR’S QUESTION
Cherif Sleiman
General Manager, Middle
East and Africa at Infoblox
will start to develop associated sets of
projects and on-going activities around
improving security posture. There are
numerous tools in the security expert’s
repertoire to support this effort, but a
couple staple artifacts worth calling out
are the risk register and operational
security reviews.
The risk register is essentially where
one lists risks, and summarizes how
these risks are being managed. It’s not
rocket science, and contrary to popular
belief, it doesn’t require the purchase of
exorbitantly expensive software. In fact
for newly-founded security programs, a
spreadsheet works just fine.
As far as we’ve come with information
security, the landscape still feels like the
wild west. Every day we read about the
cyber equivalent of ungoverned towns
terrorized by enterprising criminals who
pillage as they wish with seemingly no
consequences. The good guys are few,
and the sheriffs are too far between.
Maintaining the peace rests upon you;
whether you asked for the job or not.
Swiftly reacting to intrusive foes may
grant you the right to fight another
day, but getting ahead of security risks
warrants a proactive, strategic plan
with structured management oversight.
Combating cyber crime in 2017 by
building an information security
programme.
Manage security as a program
Once you’ve identified the general pillars
of your security program, each pillar
80
INTELLIGENTCIO
While the risk register may be
appropriate for executive review,
operational security reviews are
intended to track progress (or lack
thereof) on a more tactical level. For
instance, tracking progress in the
“vulnerability management” pillar may
warrant metrics which track the number
of high-risk system vulnerabilities,
exploited vulnerabilities, average time
to patch, and so on. These metrics must
resonate with system owners and those
responsible for day-to-day operational
security so that they have actionable
data to improve security posture.
In summary, a security program is a
continuous journey that never ends. Like
most journeys, it starts with a single step,
and will certainly have pitfalls along the
way. Perfect security is unrealistic, so
don’t be afraid to fail. How we manage
and adapt are infinitely more important.
www.intelligentcio.com