I was having a delicious lunch of mini-cheeseburgers and sweet potato chips the other day with my pal KL, and we were having a spirited discussion about defense-in-depth when it comes to network and infrastructure security for the enterprise.
K has posted some good thoughts on the topic in his handler's diary at the SANS Internet Storm Center, so I'll link to them rather than recounting them here.
It's apparent that as the size and complexity of a firm's infrastructure grows to accommodate mergers and acquisitions, organic business growth, and technology refresh, the complexity of the security threats change too, and not always in direct proportion to the attack vectors present or the evolving threats themselves.
As a business changes - whether it's pushing into previously unexplored markets, setting up shop in new countries, marketing and driving to pull more or different client bases into the fold, or taking over some other firm's infrastructure as part of an M&A strategy - it's short-sighted and reckless to think that your prior strategy will suffice unchanged, or that your tactical approach will just need more of the same bells and whistles that you already use, just more of them.
Security professionals who fail to see both the opportunity and value of viewing their space holistically will soon be faced with a myriad of problems not easily solved, including scalability issues, obstacles in allowing the business units to be agile and dynamic, compatibility nightmares, and a continuous feeling of dread that comes with not really having confidence that you know everything you need to know.
Much like info security staff develop a sixth sense when presented with a series of circumstances that leads them to make good judgements, it's imperative that IS leadership forges and maintains solid relationships with key business leaders, not only to understand their current goals and challenges, but also to provide core risk-benefit analysis in a dynamic manner.
If the business in planning to introduce change (location, scope, market, etc.), what issues does this raise in the IS space, and what's the best way to address them? What are the costs associated with these issues, and has that been factored into the overall resource requirements for the business?
If the changes entail new or different technologies, what are the threats to those technologies, and how prepared are we to meet those threats on Day 1? Do we need to introduce new security controls, and if so, what gaps might those new controls open in our existing coverage, and how are we going to ensure all gaps are rapidly identified and remediation plans are in place?
The successful infrastructure security organizations will not only have depth in the core skills needed (IDS, firewall, AV, data leakage, anomaly detection, and so on), but will also be highly conversant and hungry to understand the business drivers that make the firm run. Without this business acumen, the IS organization is operating with an incomplete picture, and it's greatest threat will be that it doesn't know what it doesn't know.