Who's going to dig you out of a security hole when the time comes?
Finding a partner – what to check for
You may have noticed that information security is something of a big deal these days. You’ll also not have missed that the attackers’ capabilities are far ahead of those of us trying to defend our systems against them.
For many people, and maybe you, it makes sense to fill that knowledge and skills gap by bringing in a support partner.
Before you do, though, give some thought to what we mean by security. Back in the day, security meant stuff like privacy, encryption, and access control. And look at standards such as PCI DSS (the payment card industry data security standard) and you’ll find they’re full of requirements like:
- Restrict access to cryptographic keys to the fewest number of custodians necessary.
- Install critical security patches within one month of release.
- Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
These days the scope has widened somewhat, and alongside confidentiality (ie, all of the above) we’re now told that we have to think carefully about the integrity and availability of our systems, and that our Chief Information Security Officer cares deeply about ensuring that we do.
So if we dig out our copy of the ISO 27001 standard we read stuff like:
- Backup copies of information, software and system images shall be taken and tested regularly.
- The use of resources shall be monitored, tuned and projections made of future capacity requirements.
Been there, done that
Am I alone in thinking that these latter items are what we system and network administrators have been doing for years? When I was installing resilient pairs of Cisco ASA5510s I was a network manager, and I didn’t need the security manager to tell me to do so. I’ve had monitoring on the kit I’ve installed over the years so I could see when a network link failed.
I’ve kept an eye on resource usage so I could be sure something wasn’t about to fill up its boot drive. The companies I’ve worked for and with have all had HR teams that dealt with vetting new employees and ensuring employment terms were clear and obeyed.
Much of what we today call “security” is what system and network managers of my age simply regard as basic enterprise architecture, network design, and even common sense. Of course you’d consider pairing your edge routers if downtime isn’t an option. And of course you’d back up your data so you can restore it if the server disk crashes. Why would you need help with that?
So let’s look back at what we’d traditionally have called “security”. This is where you actually may need some help, because it’s where the difficult and clever stuff resides – particularly when it comes to picking up the pieces in the event of a successful (on the part of an intruder, that is) attack.
The confidentiality elements of system and network management are where you are running to keep up with attackers: keeping up with developments in security algorithms, for example, and at the same time staying abreast of where the attackers are starting to defeat them (anyone think MD5 is the best choice for a hash algorithm these days?).
Another area where you’d enlist a third party for help is in the variety of accreditations and compliances that our customers insist on more and more as time goes by. These will almost certainly be new to you, and you’d be mad to try to figure them out by yourself – it’ll just take an intractably long time to do so and you’ll certainly miss some key points.
Training, training, training
In my experience, this latter third party involvement is something you can taper off over time. While you’d be silly to try to gain, say, your first ISO 27001 or PCI DSS accreditation without external advice, I strongly suggest you shell out on some training for your in-house teams so you can gradually bring the work in-house over time. Money spent on training will inevitably be saved by not spending it on extended third-party relationships in this respect.
The way we’re heading with this is: use third parties when you can’t reasonably expect to do everything yourself – but only until you can do some things yourself. The clearest example here is security incident response: unless you’re a huge company that has the time, money and people to keep up to date with the intricacies of security attacks and forensic analysis, a third party is the way to go.
Anyway, if you hire the right supplier they’ll have way more experience of genuine problems and incident responses than you could ever dream of having, and will bring value that you couldn’t have yourself. And if there’s stuff that you need to kick-start then get someone in to do so – but with caveats.
And those caveats are simple: we’re not talking about outsourcing your security function permanently, so be clear on the timescales and deliverables.
I know a contractor who’s just hit the tenth anniversary of his current position, and your target is most definitely not to help someone beat this record. This will sound dumb, but before you sign on the dotted line you need to agree on both the deliverables and the timeframe for the third party involvement, with one of the key targets being skilling up your internal team and obtaining a hand-over of a significant portion of the security regime by the end of the contract.
Extending the contract because you didn’t agree on the terms of engagement is undesirable and expensive. And as you go, question yourself and your supplier – even better get someone else to sanity-check what you’re doing and ensure that you’re not missing the point.
In short: use a support partner to deal with emergencies, to bring short-term knowledge, and to help you temporarily if you simply don’t have enough people to get the work done in the time available. Be clear on what third parties do for you, and on the nature and duration of the relationship: use short, fixed-term engagements by default, with long-term relationships reserved for the things you can’t expect to do yourself.
But in the long term, your core support partner should be … well, you. ?