Infosec Management Tip: Focus on Fundamentals

Focus on Fundamentals The basics take attention, consistency, time and iterative improvements. And they’re very effective! But too often we get distracted by other things to do what’s needed. Instead, planning and project management can go a long way towards actually putting the fundamentals into place. Automating and making the basics a part of a routine can free you up to think about other issues and allow you to take action when you find something that really does need attention. And these things usually turn out to be very effective and cost efficient.

Example: I’ve audited a few places with very good security. And they’re the ones who start by giving their IT department the authority to operate (solid, board-approved policies), have standardized processes for things that are followed (formal procedures and light audits), hardening their systems (limited user, no default accounts or passwords), having good network limitations and visibility (segmentation with ACLs and open source IDS sensors that are watched), solid patch management (quarterly cycles with emergency processes, including servers and workstations, not just the OS but also client-side third party software), and good security awareness (human-based training, awareness at the executive level, regular testing and improving based on the results). These are all things that take consistency and improvement over time, rather than expensive tools and huge one-time projects.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Recent Posts

See All

Lately we’ve working with people to help them improve how to present themselves. Some of the people we know well as great security consultants present themselves very poorly. This is to be understood,

When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeo