Editor's Note: James Tarala teaches the two day SANS course MGT415 Risk Management. James will be teaching this two day class as part of the US Security Awareness Summit in Philadelphia August 19. Below he discusses the class and how it helps the world of security awareness. Y
ou can’t attend an information security conference, listen to a webcast, or read an article without hearing about the latest data breach or organization that was hacked. After each breach all the security pundits stand up and say if you just had this one widget then you wouldn’t be vulnerable to the breach. And somewhere in that conversation inevitably someone will mention risk management as the panacea for how we determine whether or not that widget would have helped. Unfortunately as we talk to practitioners many people will talk at a high level about the value of risk management but when you question them on the particulars they struggle with an answer. The bottom line seems to be that while most of us believe that risk management is a valuable tool for prioritizing resources and selecting controls, very few of us know what that means and even fewer of us are actually using it to create a security strategy for defense.
Security awareness is a crucial puzzle piece in any overall plan for defending information systems. Organizations and their staff must be educated on how they can best defend the organization’s critical information assets. Without that education staff members are left to rumors and their own best judgement which may or may not be in line with the organization’s strategy for defense. Education and awareness is a crucial piece to any organization’s governance program. For an organization’s awareness program to integrate with the organization’s risk management strategy it has to be a part of the overall governance plan. Teaching people not to click on links in emails is important, but how does that fit into the bigger picture of defense? Are there other things we should be teaching our staff. So to keep it simple:
- Organizations must decide that they want to defend themselves (program charter).
- Organizations must decide how they want to defend themselves (security policies).
- Organizations must educate their staff how the organization plans to defend themselves (awareness and education).
- Organizations must do the things that they’ve decided are the right things to do (implementation).
Risk management is the overseer of this whole process. But as we already mentioned, the practicalities of risk management still escape most of us. To address that issue we created a class at the SANS Institute, MAN415: A Practical Introduction to Cyber Security Risk Management, to teach people the practical steps to take when they want to integrate risk as the overseer of their information security governance program. Our goal when we created this class wasn’t just to talk about academic possibilities or send students home with the responsibility to figure it out for themselves, but rather we wanted students to go home with practical options they can implement right away to better defend themselves. Specifically we try to answer questions such as:
- What risk management models should an organization consider?
- What are the practical steps involved with performing a risk assessment?
- How can someone decide what controls they should implement?
- How can an organization measure and record progress on their security efforts?
- What metrics are available for organizations to use to measure security?
- How does security awareness fit into the context of risk management?
Risk management does not have to be a mystery, it can be a practical overseer to an organization’s strategy for defense. It is not up to every organization to figure out for themselves how they should defend themselves. As a community we should be able to work together to make practical plans for defense. While there is no silver bullet widget for defense, hackers are not magic and there are things we can do to defend ourselves if we are willing.
Bio: James Tarala is a principal consultant with Enclave Security and is based out of Venice, Florida. He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author and editor for many SANS auditing and security courses. As a consultant, he has spent the past few years architecting large enterprise IT security and infrastructure architectures, specifically working with many Microsoft-based directory services, e-mail, terminal services, and wireless technologies. He has also spent a large amount of time consulting with organizations to assist them in their security management, operational practices, and regulatory compliance issues, and he often performs independent security audits and assists internal audit groups in developing their internal audit programs. James completed his undergraduate studies at Philadelphia Biblical University and his graduate work at the University of Maryland. He holds numerous professional certifications.