Pay it forward / Advice for the security admin and manager

Pay it forward / Advice for the security admin and manager

4 Comments on Pay it forward / Advice for the security admin and manager

I am going to combine my security tip of the day with my series of advice for security admins and managers.  So here goes:

I can sum up this advice post in two words: due diligence.  It is obvious that due diligence is necessary in all aspects of security and other areas, but lets go over a few examples:

  • Due diligence in your security solutions:  As a security manager, I get calls from vendors wanting me to buy their security products on a daily basis.  Many of them are big guys like Cisco.  Many are smaller shops like StillSecure (no offense Alan).  Now, the name recognition that comes with Cisco instantly draws me to them.  Cisco has a major role in my network (no surprise), so the familiarity with their product makes me instantly pay attention.  And I know as a busy security manager that I could probably buy their product without looking around and doing my DUE DILIGENCE and get a decent product that my boss is not going to gripe about.  But that goes back to the ol’ “good enough” discussion between Alan Shimel and Michael Wright.  Cisco does make some fine products, but they are simply not the best when it comes to security.  What I should do is take the time to look at other solutions, and then determine what the best solution is for my business.
  • Due diligence in keeping your security measures up to date: Let’s look at an example.  Take the good ol’ IDS.  Many people proclaimed the death of the IDS years ago.  But I believe with the surge of SIM / SEM products out there, the IDS can be used in conjunction with an IPS to give some really good info as to what is happening in your network.  Of course, you have to tune your IDS, and you have to maintain signatures.  And you have to make sure your SIM / SEM is setup to alert on current attacks and maintained to recognize any new attacks or new devices in your network.  This type of due dilignece needs to be applied across the board.
  • Due diligence in procedures: Policies are easy.  Procedures are a bear.  But they are infintely more important than policies because they define how the policies are applied.  Without procedures, policies are essentially worthless.

Practicing due diligence will make your network secure and your career successful.  Getting a reputation for being anal can sometimes be a bad thing, but in security it is an endearing term.


About the author:

My name is Michael Farnum. I am a Practice Principal at HP Fortify on Demand. I live in Tomball, Texas. I have been in the IT and InfoSec field since 1994. I am the founder and chairperson of HouSecCon, THE Houston Information Security Conference. These are MY words, not my employer's or anyone else's.


  1. Anton on Security  - August 11, 2006 - 1:43 am

    Anton’s Security Tip of the Week #1…

    Upon seeing folks giving security tips of the day on their blogs (like here, here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it “pay it forward”……

  2. Mark Washington  - August 7, 2006 - 9:19 am

    I agree for the most part and I would like to add the following to your due diligence in procedures. There is a third part and it is enforcement. You can all the policies and procedures readily available to your user base, however if you do not enforcement that has “teeth” there is really no point on having a policy or procedure unless you are under some type of regulatory compliance. As an example the VA’s stolen laptop fiasco. There was a break down in procedures and probably a breakdown on security awareness within the organization. However there was enforcement (probably because the whole mess went public), one could argue that the enforce was somewhat severe, but regardless it was enforcement. Due dilgience in policies and procedures is great, but without enforcement what is the point?


  3. Alan Shimel  - August 4, 2006 - 12:54 am

    Michael – no offense taken that we are not as big as Cisco or some other shops. We just try harder 😉 Seriously, I am glad that at least we are calling you and asking for your business!

Back to Top