Security Strategy: From Requirements to Reality


Posted on by Ben Rothke

Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson is arguably the best information security book ever written.  Anderson’s premise is that security technology needs to take a structured engineering approach to systems design, with detailed requirements and specification from start-up to development and implementation; just as those designing buildings and bridges do.  Without a deeply embedded structured approach to security systems design, Anderson argued that we find ourselves in the situation we are in today, with applications and operating systems full of bugs, vulnerabilities and other serious security flaws. 

As good as Security Engineering is, it was not written to be a detailed information security design guide.  That vacuum has been filled by an incredibly important and valuable new book Security Strategy: From Requirements to Reality. 

Security Strategy is one of the first books that shows how to perform a comprehensive information security assessment and design, from section, development and deployment of a security strategy best suited to a specific organization. 

The books main focus is on the planning, requirements and execution need to ensure formal and comprehensive information security elements are built into systems, applications and processes. 

Authors Bill Stackpole and Eric Oksendahl each have over 25 years in the industry and the book reflects their vast expertise.  Oksendahl spent time at Boeing, one of the most security aware organizations, with Stackpole spending a decade at Microsoft.  While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft.   

The books 300 densely written pages are composed of 14 chapters divided into 2 sections.  Section one (chapters 1-6) is about strategy, with section two (chapters 7-14) around tactics.

Complete with checklists of the physical security requirements that organizations should consider when evaluating or designing facilities, the book provides the insight needed to enable an organization to achieve the operational efficiencies, cost reductions, and brand enhancements that are possible when an effective security strategy is put into action.

Chapters 1-3 take a high-level overview on how to approach strategy, with its many details.  The authors note that strategy is a long-term plan of action designed to achieve a goal that includes what work will be done and by whom.  This is not a trivial task, as many organizations simply roll-out a new technology, without defining what its goals are, and who exactly will manage and support this new technology. 

Chapter 4 is where the hard work begins, as this chapter details the issues around strategic planning.  Noting that strategic security planning is hard work and takes time; many organizations attempt to take an assumed easier path, that of bypassing security details and specifications.  That is precisely why information security is in such a sorry state in many firms.  These firms would rather buy a security appliance and place it in their data center and hope it works; rather than defining the details and specifications of what the appropriate appliance is in the first place.

Part 2 commences on the topic of tactics, and defines them as procedures or sets of actions used to achieve a specific objective.  What this chapter does well, as does the entire book, is that it compels the reader to focus on specifics and objectives.  

Chapter 9 gets into the importance of observation, in knowing what is going on within the network. The book notes that observation is both a deterrent and a detector. The chapter goes into detail about how observation works both in the physical world and its corollary use in the network side.  The chapter breaks down the various functions needed to ensure that observation is done correctly; as opposed to the common method of simply rolling out an IDS and hoping that it somehow works. 

Chapter 11 details the SDL (security development lifecycle).  As the chapter notes, an effective SDL can improve application security via the use of a set of development practices designed to reduce or eliminate exploitable vulnerabilities.  The issue though is that far too few organizations realize the need for a SDL, let alone take the time to design and deploy it.

Chapter 14 ends on the topic of security awareness training.  While the notion of security awareness for many firms is an annual 10-slide PowerPoint; the authors take a pragmatic approach and detail the various parts of what makes for an effective awareness program.

Security Strategy: From Requirements to Reality is an incredibly valuable book that advances the state of information security.  For organizations that are looking to get serious about information security, and those that want to go from good to great, the book is an invaluable guide that lays the groundwork on how to develop a first-rate information security infrastructure. 

Taking a look at its table of contents shows the many fine points in which the book goes into each particular point, showing how it can be properly designed and deployed for effective security controls. 

My only peeve with the book is that it lacked a CD-ROM or web site in which to download the many tables and matrices the book is built on.  It is hoped that future editions will have them available. 

Security Strategy: From Requirements to Reality is one of the best information security books of the last few years.  Those who are serious about information security will ensure this is on their reading list, and that of everyone in their organization tasked with information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs