If you didn’t have a chance to join some 350+ of your fellow IT and Security Pros at our Shields Up Panel: Network Security Fundamentals, Fight! THWACKcamp session – you’re in luck, we took some notes.
Our panel was comprised of Eric Hodeen, Byron Anderson, our moderator Patrick Hubbard, and me, c1ph3r_qu33n.
Compliance v Security was the theme this year, and we tackled 4 big questions:
- Have security practitioners and business owners figured out how to work with compliance schemes instead of fighting them?
- Are you more or less secure when you put compliance first?
- What benefits (or harms) do compliance schemes and checklists offer?
- If you are new to compliance, where do you start first?
Our panelists felt that security and compliance teams are generally getting along better. However, there are still times when a business owner looks only at the penalties or risks of non-compliance and doesn’t consider the impact to the business of following a standard blindly. This can be especially true of highly proscriptive standards like DISA STIGS (Defense Information Systems Agency - Security Technical Implementation Guidelines), or NERC CIP (North America Electric Reliability Corporation – Critical Information Protection). The challenge for IT and security pros, is to effectively communicate the potential business impacts and to give the business owner the ammunition to argue for a waiver or request a compensating control. This way your organization can reach an optimum balance of compliance risk vs business needs.
One of the misconceptions that business owners may have is that a compliance scheme comprehends all the organizations security risk, so nothing further needs to be considered. As practitioners we know that compliance schemes are negotiated or promulgated standards that take time to change. Adjusting for changes to the threat landscape and addressing new technology innovations in a rapid fashion are challenges for compliance schemes. Furthermore no compliance standard considers every nuance of every IT environment.
So that is one of the risks of taking a compliance only approach. But no one on the panel felt compliance schemes don’t have value. Like other good guidelines and checklists, such as the OWASP top ten, or the SANS Critical Security Controls, compliance checklists can add value to an organization, especially as assurance. The panel was divided however, on whether you start with a checklist, or you end with a checklist. The answer may depend on your organizations maturity. If you’ve been doing security for a while, using a checklist to validate your approach may add an extra layer of assurance. If you are new to security, however, a good checklist can be a great asset as you get started in this new IT discipline.
Speaking of getting started, we all had different ideas about what is your most important first step. One of us said default passwords, which insidiously have a way of creeping back into the organization – whether it’s from a new install, or a reset of an existing device – default passwords still haunt us. Another panelist thought end users were the biggest challenge, and maintaining good security required strong user participation. Anyone who has dealt with ransomware or phishing knows how important it is to keep users informed of likely risks and good security hygiene.
We all agreed that THWACKcamp was great fun and we hope to see you all next year. If you’ve got an issue you’d like to see the experts take a stab at, post your questions and we’ll put them in the idea basket for next year.