Routine Maintenance

By Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP

The Nexus  |  Monday, 09 December 2019

I find that many outside of our profession believe cybersecurity is overly complicated and, frankly, nerdy. Because of this view, soft skills required to translate technical issues into business context are extremely important. This belief may also be dissuading youth from pursuing tech careers and, instead, steering them to be simply consumers of technology. I hardly consider myself a nerd. In fact, my vocational aptitude and abilities make it hard for those I do not work with to fathom my paid profession—something I find amusing. Whenever possible, I use analogies to aid another’s understanding of a topic. I find this useful for explaining everything from car issues to cybersecurity. Those who own vehicles know the importance of routine maintenance, which is the theme of this month’s column.

It can be difficult to see the forest through the trees when cybersecurity work is predominantly reactive or organizations lack sufficient resources to address critical and mundane tasks. For many of you, the end of the calendar year brings about much deserved vacations or holidays away from the office. Recognizing that things tend to slow down around the end of the calendar year makes this an appropriate time to review components and systems under your purview at the office.


It can be difficult to see the forest through the trees when cybersecurity work is predominantly reactive or organizations lack sufficient resources to address critical and mundane tasks.

I trust that security appliances and technology are up to date with the latest firmware and patches, where appropriate. Security, however, is more than just the gadgets and widgets that help create metrics for leadership. Are your security investments appropriate? Your enterprise threat landscape changes over time, so it is customary to periodically review implemented security solutions for relevance and value. Open-source tools can be good options to implement change with minimal cost.

Modern security technologies enable the collection of large amounts of data, much of which are stored in the event something bad happens. But collecting security-related information data for the sake of collection hardly seems prudent. Do not get me wrong: Collecting excess log data is better than the alternative. That is, unless it is collected in ways inconsistent with applicable privacy regulations. However, understanding your enterprise’s business not only informs what but also why the data are collected—a practice that equally benefits security event and log information and customer data. When was the last time you reviewed data collection rules and data sets?

Insiders remain a prevalent threat in today’s threat landscape, yet breaches are continually attributed to them. Partnerships with human resource departments are necessary to grant or revoke access for personnel changes. But do you have visibility into interdepartmental transfers or other position changes? Are roles and responsibilities reviewed periodically with business owners?

When was the last time policies and procedures were reviewed? Date stamps are helpful to know when an administrative document was signed. I believe in annual policy and procedure reviews by appending the date of last review to the document. Doing so aids the continuity of operations.

Professional development is an important ingredient to the continued success of security practitioners. Although many attend conferences or take advantage of other training opportunities throughout the year, these learning opportunities are predominantly individualized. Group or team training provides good opportunities to hone skills and/or review procedures beyond annual enterprisewide tabletop exercises, if they are done at all. Moreover, group training allows for teamwork among peers and fosters a collaborative culture.

Lastly, tuned procedures and technology are worthless without skilled, competent individuals. Everyone needs time away to recharge, which takes different forms for different people. Personally, I prefer ad hoc “morale” days over formal vacations. Whatever your preference, breaks are routine maintenance for mental labor.

Conclusion

I hardly consider myself an “old-timer,” but life’s odometer only counts one direction. The use of calendar aids (especially technological ones) helps plan, organize and deconflict activities. Routine maintenance helps tune components and systems to prolong functionality and minimizes costly repairs.

Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP

Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA departments as a subject matter expert on information security projects and leads volunteer and paid author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.