By Mike Rothman
The 5 W’s of security management
I’ve seen it happen about a thousand times if I’ve seen it once. A high profile project ends up in a ditch because there wasn’t a proper plan defined AHEAD of time. I see this more often in “squishy” projects like security management because success isn’t easily defined. It’s not like installing a web application firewall, which will be deemed a success if it blocks web attacks.
Security management needs a different set of drivers and a more specific and focused discussion of what is “success,” before solutions are evaluated. Before vendors are consulted. Before you do anything. I know it’s hard, but I want you to take a deep breath. If you can’t answer the following questions about your project, then you have a lot of work to do before you are ready to start thinking about specific solutions.
First and foremost, you need to have a clear understanding of your goals and your budget and make sure to line up your executive support. Ultimately someone is going to have to pay the check for whatever it is you want to buy. So you will be a lot better off if you take a bit of time up front and answer all these sticky questions.
A favorite tactic of mine is to ask the 5 W’s. You remember those, right? It was a grade school thing. Who, what, where, when and why? Pretty much anything you need to do can be clarified and distilled by isolating the issues into the 5 W’s. I’m going to kick start your efforts a bit and walk you through the process I take with clients as they are trying to structure their security management initiative.
The first thing to understand is WHY you are thinking about security management? What is the driver for the project? Are important things falling through the cracks and impacting your operation efficiency? Did an incident show a distinct lack of data that hindered the investigation? Maybe an auditor mandated a more structured approach to security management? Each of these (and a ton of other reasons) is a legitimate driver for a security management project and will have a serious impact on what the project needs to be and accomplish.
Once you have a clear understanding of why, you need to line up the forces for the battle. That means making sure you understand who has money to pay for the project and who has the final approvals? If you don’t understand these things, it’s very unlikely you’ll drive the project through.
After you have a clear idea of which forces will be at your disposal, you can determine the WHO, or which folks need to be part of the project team. Do the network folks need to be involved, the data center folks and/or the application folks? Maybe it’s all of the above, although I’d push you to focus your efforts up front. You don’t want to be in a position where you are trying to boil the ocean. You want to be focused and you want to have the right people on the team to make sure you can achieve what you set out to achieve. Which brings us to the next question…
This gets down to managing expectations, which is a blind spot for pretty much every security professional I know. Let me broaden that. It’s an issue for everyone I know, regardless of what they do for a living. If you aren’t clear and thus your senior team isn’t clear about what this project is supposed to achieve, it’s going to be difficult to achieve it.
Any organization looking at security management needs to crisply define what the outcomes are going to be and design some success metrics to highlight those outcomes. If it’s about operations, how much more quickly will issues be pinpointed? What additional information can be gathered to assist in investigations, etc? This is really about making sure the project has a chance of success because the senior team (the ones paying the bill) knows where it’s going ahead of time.
This question is all about scope. Believe me, defining the scope effectively is perhaps the most critical thing you can do. Get it wrong on the low side and you have budget issues, meaning you don’t have nearly enough money to do what your senior team thinks is going to get done. Budget too high and you may have an issue pushing the project through or getting the approval in the first place.
Budgeting is much more of an art, rather than a skill. You need to understand how your organization gets things done to understand how you can finesse the economic discussion. A couple of questions to understand are: Is this an enterprise deployment? Departmental? Regional? Most importantly, is everyone on board with that potential scoping?
The last W is about understanding the timeline. What can/should be done first? This is where the concept of phases comes into play, especially if your budget is tight. How do you chunk up the project into smaller pieces that can be budgeted for separately? That usually makes a big number go down a bit easier.
The key is to make sure you have a firm understanding of the end goal, which is presumably an enterprise-wide deployment of a security management platform. You can get there in an infinite number of ways, depending on the project drivers, the budget, and the skill set you have at your disposal.
But you certainly can’t get there if you don’t ask these questions ahead of time and determine a logical strategic plan to get to where you need to be. Many projects fail from a lack of planning rather than a lack of execution. As long as all of your ducks are in a row when you start the process, you have a much better chance to get to the end of the process.
Or you can hope for a good outcome. I heard that’s a pretty dependable means of getting things done.
Although the threat of cyber-terrorism exists, the greatest risk to Internet communication, commerce and security is from cyber-crime motivated by profit. Attacks have evolved from cracking passwords into vast coordinated attacks from thousands of hijacked computers for blackmail and theft.