Security is Easy - Managing and Tracking is a PITA

As many of us can attest, implementing security is actually pretty easy.  Just do this and that, implement this and that, document this and that, done done and done.

Not so much.

I admit I am an anomaly, but so are most of you.  We think security is easy.  Just Do It.  Soldier On.  Cowboy Up.  <Insert all other relevant cliches here>.  Mostly it is easy in regards to knowing what you have to do, it is just a matter of doing it.  It's just work.

In many cases there are budget constraints and cultural constraints that inhibit moving forward.  I am going to ignore those for now and remove those variables.  I am going to Scientific Method this circa 4th grade:

Purpose:  Verify an Information Security Program is easy to implement removing cultural and financial constraints.

Given:  Everyone in your organization is culturally on board with security.  Your Executives have signed off.  Your Finance folks have given you the budget.  Your Operations folks have thumbed up (yes I just made that a verb) everything you want to do from hardening, to monitoring, to policy oversight, to compliance.  Everyone is IN!

Hypothesis:  Security is easy!  I'll just tell everyone what we are going to do and each one of us will do a little bit, no problem!

Experiment:  Ok, let's look at *everything* we need to do: 

• We need to track this and we need to measure it 
• BUT, we need to track it and measure it in ways that fit our business and our clients' business, not in ways that a quick Google search of "tracking your security program" will accomodate
• We need to communicate, educate, track, and report:
• What the Security Team needs to do, overall from a strategic and budgeting standpoint
• What our IT Operations teams need to do
• What we need to report to our Executive Leadership
• What we need to report to our Board/Business Owner
• Let's not forget auditors, compliance, etc.

•  Somehow figure out how to combine the above into a tracking and reporting mechanism that is *not administratively burdensome* where we have to create 4-5 different reports to accommodate each audience

Analysis:  Well, I suppose that is what I am going to have to do next, but that was probably the inspiration for this blog.

Results:  WE ARE TOTALLY SECURE!!!  Just kidding.  Not really.  Hopefully not kidding at all.

In all seriousness, I think there are two critical points to securing our environments that is the most difficult, and that is managing and tracking.  Despite all the tools available it still requires a brain to think and fingers to type to ensure that we have the appropriate level of management and oversight and that we are COMMUNICATING this to our audiences.

That's the hard part, doing security is easy.  Reporting and tracking, kind of a PITA.