I love George Bernard Shaw’s quotation “The single biggest problem with communication is the illusion that it has taken place.” As imitation is the most sincere form of flattery; The single biggest problem with Information Security is the illusion that it has taken place.

There are two main ways that Information Security can be illusory;

• Leveraging a “point-in-time” security (the PITS) model
• Improperly implementing a “continuous” security model

I would argue that most organizations leverage a PITS model with continuous “aspirations”. The core elements of their Information Security Management System (ISMS) are PIT assessments. Conducting a thorough point-in-time assessment of the designed (or deployed security controls) is a necessary but not sufficient condition to demonstrate security due diligence. Why? Because threat agents, vulnerabilities, technology, laws/regulations, business objectives, relied upon external solution elements change, often rapidly. These changes illustrate the danger of over-reliance on PIT assessments that only take place in a single phase of a solution life-cycle (e.g., conducting a design review pre-development or a penetration test pre-deployment).

The key element to managing an ISMS is the continuous flow of external risk and internal operational information captured in a manageable and actionable way. A well-designed and well-managed continuous monitoring program fills the “temporal” and “coverage” gaps between the static point-in-time assessments (still integral to continuous security) in a manner that facilitates true information security risk management. The “illusion” is far too often that a continuous security model is actually being deployed. We find that entire control environments are built in the absence of Risk Assessment and that monitoring is focused on regulatory compliance not security. The result is that the continuous (and often PIT) elements of the ISMS are not optimally focused and we are left with the illusion of security.

If you don’t agree that the single biggest problem with Information Security is the illusion that it has taken place – give a call over to Sony, Citi, RSA, …

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.