Subscribe

Pssst...Don't be too good at your infosec job

Matthew Burbidge
By Matthew Burbidge
Johannesburg, 17 May 2017
Mai Moodley: Make sure your security investment talks to your risk profile. If there's no link, there's no value.
Mai Moodley: Make sure your security investment talks to your risk profile. If there's no link, there's no value.

When a major cyberattack hits the headlines, many forget the underlying issue of why they were hacked in the first place.

So said SITA's Maiendra Moodley at the ITWeb Security Summit this week, adding that he'd been asked countless times about 'this ransomware story' over the last couple of days.

Moodley, who heads up financial systems and processes at the agency, said his customers keep asking him 'what they could buy' to solve their security issues, but seemed less interested in putting proper practices in place, such as making sure software was up to date and patches had been installed.

Six steps to improving your security posture

  1. Understand the organisational drivers. These drive the positioning of security, politics, placement, perception, and budget.
  2. Invest in a coherent risk analysis which leverages the organisation's specific risk profile to its security investment. It needs to be regularly updated.
  3. Draft a scenario plan, and use the risk analysis to inform scenario planning, such as what security options to invest in and when to switch or opt out.
  4. Adopt, implement and optimise an information security standard and project management standard.
  5. Develop a clear training programme for leadership, commercial, and technical competencies.
  6. Learn to manage yourself.

Ironically, information security experts who did their job well may have inadvertently convinced their managers that employing them was 'an unnecessary expense'.

"They take it for granted that you must be doing nothing because nothing goes wrong," he said, adding that there have been no reported incidents of ransomware in the public sector.

Moodley also dispensed a lot of business tips, which were all the funnier because many rang so true. "You just need PowerPoint - if you haven't learnt this as a security practitioner you've missed the most vital job skill."

Another trick to persuade managers that you needed more budget, was to mention the 'G word' (Gartner) and then bamboozle them by mentioning hype cycles and magic quadrants.

However, you must make sure that the security investment talks to your risk profile, he said. "If there's no link, you can't explain what the value is. You will keep on spending money with very little return."

He said the higher an employee climbed the management ladder, the better they became at protecting their job, as well as becoming more risk averse. The employee also became more adept at using bureaucracy, such as 'turning everything into a committee'.

Moodley mentioned the case of Cuba, which had almost eradicated illiteracy in a 'year of education' in 1961 by sending brigades throughout the country. "They picked one problem, and fixed it, and then they moved on. What we do is launch a war on everything, and then it becomes a perpetual thing, and it never ends."

It's the same thing with information security. If you picked one thing and you did it well, and next year you picked another thing, you would have at least achieved two things that were done properly. If you try and chase 24 things with a quarter of the budget, you're lucky if you get anything right."

Share