So as I mentioned in my first post of 2011, I decided to make a resolution to try a new recipe each week for the year. Don’t get me wrong, prior to this I knew how to cook it was just a somewhat limited menu. So one month in I have expanded my recipe box by 14 items. I have cooked or baked a range of items and I am starting to learn a few things. One important thing I have learned is there are two things make me nervous when trying something new. The first is when the cooking time is a range, which means I have to make a judgment call. The second thing that makes me nervous is the phrase “Season to Taste.”

I am still learning the way different spices add flavor to the food, so season to taste means I have a lot greater chance of failure. A perfect example is when I was making a sweet potato mash my wife had heard about on a cooking show. The recipe called for zesting an orange. It is very easy to add to much zest, and the first time I made the mash I over zested. However in my failure I learned a valuable lesson that will help me in the future. Just like in cooking, there is a “season to taste” aspect to information security

Anytime you try a new security product or architecture there is a time where you need to tune it to your environment. Each organization defines what level of risk they will accept, and the information security strategy should support that assessment. This means when you add new features you have to make sure they support the acceptable risk. First you build the solution in a test environment and see how it works. Then you begin to adjust the settings until you find the point where it meets the organizations objectives. Once you have it properly “seasoned” you put it into the production environment and monitor it to ensure it operates as expected. Just like any good recipe, over time you begin to add or remove functions/settings to make it operate even more effectively.

Although it may seem cooking and security have nothing in common, it would appear we can learn a little about each from the other. I suppose that is why others often use the phrase “bake security in”


Driving home a few days ago I happened to be in the left lane, aka the passing lane. The highway split off in two directions and I found myself behind a tractor trailer. I soon found that the tractor trailer was moving slower than the middle and right hand lanes and the people behind me kept switching to the middle lane to get around the truck. If you have ever been in this position I am sure you find it frustrating because no one will let you get over being the person directly behind the truck. This went on for more miles than was reasonable for the driver ahead of me to be staying were he was. Finally the driver moved over and I was free to resume a more reasonable pace to get  home to my family.

Of course all was not lost being trapped behind the truck. It made me think about controls, and how often do we let old, slow moving controls continue to live. In IT and information security things are moving at a rapid pace, although sometimes we are just reviving old technology with a new name. The point is we can not just design a control environment and then let those controls run till the end of time. In the same respect, we shouldn’t let our auditors fall back on the controls they are most comfortable with just because the have worked in the past. From my time auditing local governments, I found people were reluctant to change a control even when it no longer was efficient or effective. The reason behind this was always “The auditors look for that.” From the perspective of an attestation, an auditor shouldn’t be the one to designate the controls rather management should. It is then the auditors job, with the assistance of you the client to show how those controls effectively do their job.

This means we constantly need to re-evaluate the controls we have in place to see if they make sense. When the technology behind the intended control changes, the control itself should be updated as well. This doesn’t mean the old controls go away, rather the old control should be enhanced. If you properly document the rationale behind your controls and ensure they are effectively controlling the environment, there should be no problem convincing your auditors. The key to getting audit to buy off is being transparent about how the control works and educating them as to why other controls don’t work. People often want to complain about auditor’s and their checklists, but if we don’t constantly ensure our controls are current with business needs and technology we are asking the auditors to just bring along the checklist.

Keep those older controls in places they are still effective, but don’t be afraid to update controls when the environment warrants the change. Remember controls aren’t for the auditors, controls are to protect your organization.


Half Baked Security

Welcome to 2011. A new year, one certainly filled with new threats to systems housing information assets. Does this mean we should all despair. In short, no. First, though I want to talk about cooking. I recently have taken to cooking new things. When I first got married I knew how to cook only two or three things, and over the course of time my wife has taught me how to make a few more things. Still, I find from week to week I make the same things on a regular basis. Inspired by the many cooking shows my wife and I watch I began to try new ingredients in my standard menu items. In the last few months I have picked up some new recipes that have met with some success.

As the new year begins I have resolved to try a new recipe at least once a week, ensuring by the end of the year I will have almost two months of dishes under my belt. What I have come to realize, when restaurants have their tried and true recipes that people rave about plus those unique specials that only come a few times their are highly successful. That doesn’t mean it always is successful, but that formula seems to be the best. When you think about it, if a restaurant always served the same thing and then a new restaurant opened next door with something new the established place is likely to suffer. Given enough time the original establishment will become just another place to  eat.

Just like cooking, managing information security requires tried and true methods mixed with new techniques. Attackers are always looking for a way in, that will not change. So making it more difficult to find your vulnerabilities is critical in thwarting many of the attacks. When you rely on the same methods that everyone else is using it becomes easy for attackers to develop a scripted attack methodology. Furthermore, if they know your response techniques they can stay several steps ahead as you try to stop them.  If you mix things up, add new techniques, think ahead of the curve you may throw them for enough of a loop you get the upper hand. At a minimum, your systems become less desirable as a target to many small time attackers because there is a higher risk of detection.

Staying ahead of the curve, and the type of thinking used by attackers is exactly the type of response we need to add to our mix of security methods. In cooking, I was afraid to try new recipes for fear they would taste bad. Fear kept me from being successful not because I couldn’t do it, but because I wouldn’t do it. In this new year we need to take the reins and understand we can’t always have the upper hand, but we can gain it on a higher frequency if we stop being afraid and start challenging ourselves and our industry. Lets share our new recipes, improve on each others, and make progress in 2011.