© 2019 InfraGard National Capital Region Members Alliance.  

WARRANTY DISCLAIMER  The FBI, InfraGard, and its affiliates provide information, including but not limited to software, documentation, training, and other guidance to be known as “materials.” The materials are provided as-is and we expressly disclaim any and all warranties, express or implied, including, and without limitation, the implied warranties of merchantability, fitness for a particular purpose, non-infringement, quiet enjoyment, and integration, and warranties arising out of course of dealing or usage of trade. You agree that, as between you and the FBI, InfraGard, and its affiliates, you are responsible for the outcome of the use of materials made available, including but not limited to adherence to licensing requirements, and taking legal and regulatory considerations into account. There is no guarantee of accuracy, completeness, timeliness, or correct sequencing of the information provided.

OFFICIAL LINKS

  • White LinkedIn Icon
  • Facebook Clean
  • Twitter Clean
Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Vantage Point: Protecting critical infrastructure through process

 As security professionals, we are bombarded by products that promise to solve our security problems.  It is easy to find verticals where four or five different vendors will claim to be the best solution and will even cite data from third parties to back up their claims.  For example, I have lost count of the number of vendors who claim to offer a "single pane of glass" that will give me a comprehensive view of the security of my networks and data.  While many of these products can add value, it is easy to get lost in a sea of security products.  

 

What I try to remember is that security is really about process, not about products.[1] At its core, security is the process of managing risk and protecting assets.  Those assets can be physical (a gas turbine), human (our families, coworkers, and other fellow Americans), or virtual (intellectual property).  Getting better at the process of managing risk and protecting critical infrastructure assets is what InfraGard is all about.

 

There are a variety of frameworks for analyzing security.  One that I am familiar with is NIST's Cyber Security Framework (CSF).  In this model, NIST looks at security as consisting of five key functions -- identify, protect, detect, respond, and recover.  There are a variety of security products that line up with each of these, but the most important part of the framework is the way it makes you think -- understanding the assets you are responsible for, the risks that might affect each of these assets, the impact of an incident affecting one or more of those assets, and controls that can be put in place to mitigate risk and impact.  

 

When I follow a disciplined process like this, I find that security does not have to be as hard as it sometimes seems.  Don't get me wrong -- I know very well that security is not easy, especially in large, complex environments that face a very diverse threat landscape.  But it is also not impossible.  Developing and exercising critical security processes like incident response can help any of us reduce the risk of suffering a loss and the impact or duration of a loss.  

 

Depending on your industry and specific security needs, there are other frameworks that may be a better fit for your organization, but most share a common focus on process.

 

Regardless of which framework you choose, they should not just be compliance exercises.  When used effectively they can change the way we think about protecting our critical assets.  It is an old adage that there is no such thing as "perfect" security, but robust processes and a culture of continuous improvement allow us to get a little better every day.  

 

[1]Security authors have been telling us that security is a process for decades, but we often lose sight of that fact in the search for a tool that will solve our security issues.  Bruce Schneier wrote a famous essay about this topicas far back as the year 2000.

Please reload

Follow Us
Please reload

Search By Tags