So, after a long time, i finally broke my jinx of not updating my blog! I hope to keep updating it more often now.
Life is a collection of memories. If you don’t have memories, you don’t have a life (which means you are dead. That is why Shiva — the lord of death — is also called “smarahara”. “smara” incidentally, is sanskrit word which has two meanings. One, it refers to kaamdeva — the god of love. It also means memories. Amazing language, isn’t it? But i digress). My information security career has also gifted me with many memories, one of which is this interview. I didn’t like one of my responses during the interview and i kept going back to it, for some reason.
I finally got the reason (or so i think). This LinkedIn post is an introspective attempt to articulate that reason. Please find a reproduction of the same below: -
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Being a thick skinned guy that I am, I usually don’t like to admit mistakes. Scratch that, I NEVER like to admit mistakes. However, there are instances when one, during introspective phases (I know, it is a big word, yipee-ka-yay — MS Word 2013), identifies his/her mistakes and what he could have done instead of how-could-I-do-it and wish-he-forgets-it type of things.
So, during one of those ‘aha’ moments, I realized a mistake that I happened to commit during one of my interviews.
Around the end of an interview, one of the interviewer asked me this question
“If you had unlimited budget, what would you have done to improve your organization’s security posture?”
Now, on the face of it, this is a pretty open ended question that allows you to articulate some of the key controls / strategies that you think would add value to an organization’s security posture. This question also allows an interviewer to probe the mind of the person who is being interviewed to gauge his priorities. AND, this is also the sort of question, the response of which, will open you up to scrutiny.
When I faced the interviewer, I was on the way from a normal ISMS professional to a higher plane (by establishing a SOC or Security Operations Center). I was then struggling with handling incidents with limited resource and skill (more on skills and competencies in a later post), so my response was a reflection of my struggles:-
“Given unlimited budget, I would like to invest in a tool / technology / process which ensures that infected machines are isolated as soon as they are identified. Also, I would like to be able to analyze them faster”.
How wrong I was!
An organization’s security posture is dependent on the following 3 Ps:-
People, Process, Technology
People — The most important thing in the triad. If people
(a) don’t have an understanding of the information that they have and its value and
(b) don’t want to secure it (due to different reasons, and surprisingly, deliberate espionage doesn’t feature till the end of the list), you will not be secure no matter how many processes and technical measures you have.
Think of all the passwords that have been shared, all the intellectual properties lost due to people and you will get the drift of what I am trying to write here. Awareness sessions on information security DO’s and DON’Ts, communicating all and any process changes to all relevant people, assessments (both online and behavioral) to gauge how people treat information security when no one is watching are some of the things that an organization can do to ensure that people act their part to keep information secure while handling. All information security branding related activities would also come here. The branding activities could include posters, quizzes that includes giveaways, etc.
Process — I can never tire of saying this “The way you handle information will dictate how secure you can make it”. Please refer to this post to know more about my thoughts on this.
Technology — All technical gadgets worth their salt (e.g., DLP, SIEM, IDS / IPS, Firewall, etc.).
So, while technology is important, information security is inherently a people and business problem. It is perfectly possible to implement a cost-effective ISMS that is aligned to the business and it is equally easy to botch it by blindly implementing “best practices”.
What I should have said
“Given unlimited budget, I would invest in security awareness at all levels, coupled with good detection tools, a superb DLP tool, and a capable incident response team”.
Now that would be a better answer, don’t you think?