Pay it forward / Advice for the security admin and manager

Pay it forward / Advice for the security admin and manager

4 Comments

I am going to combine my security tip of the day with my series of advice for security admins and managers.  So here goes:

I can sum up this advice post in two words: due diligence.  It is obvious that due diligence is necessary in all aspects of security and other areas, but lets go over a few examples:

  • Due diligence in your security solutions:  As a security manager, I get calls from vendors wanting me to buy their security products on a daily basis.  Many of them are big guys like Cisco.  Many are smaller shops like StillSecure (no offense Alan).  Now, the name recognition that comes with Cisco instantly draws me to them.  Cisco has a major role in my network (no surprise), so the familiarity with their product makes me instantly pay attention.  And I know as a busy security manager that I could probably buy their product without looking around and doing my DUE DILIGENCE and get a decent product that my boss is not going to gripe about.  But that goes back to the ol’ “good enough” discussion between Alan Shimel and Michael Wright.  Cisco does make some fine products, but they are simply not the best when it comes to security.  What I should do is take the time to look at other solutions, and then determine what the best solution is for my business.
  • Due diligence in keeping your security measures up to date: Let’s look at an example.  Take the good ol’ IDS.  Many people proclaimed the death of the IDS years ago.  But I believe with the surge of SIM / SEM products out there, the IDS can be used in conjunction with an IPS to give some really good info as to what is happening in your network.  Of course, you have to tune your IDS, and you have to maintain signatures.  And you have to make sure your SIM / SEM is setup to alert on current attacks and maintained to recognize any new attacks or new devices in your network.  This type of due dilignece needs to be applied across the board.
  • Due diligence in procedures: Policies are easy.  Procedures are a bear.  But they are infintely more important than policies because they define how the policies are applied.  Without procedures, policies are essentially worthless.

Practicing due diligence will make your network secure and your career successful.  Getting a reputation for being anal can sometimes be a bad thing, but in security it is an endearing term.

Vet

About the author:

My name is Michael Farnum. I am a Practice Principal at HP Fortify on Demand. I live in Tomball, Texas. I have been in the IT and InfoSec field since 1994. I am the founder and chairperson of HouSecCon, THE Houston Information Security Conference. These are MY words, not my employer's or anyone else's.

Back to Top