In a smaller organization, building relationships is pretty easy, as the chances of bumping into the same person over and over again are high.
You might see each other in the elevator, then in the kitchenette grabbing a coffee, a meeting later in the day, and finally at the bar down the street.
This close interaction allows you to easily communicate with your peers, and if you need to get some information, there is no hesitation in just asking.
Contrast that with life in the large enterprises and corporations like a bank. Thousands of people coming and going every day, large cafeterias, conference calls instead of meetings, and you need to get an invite to the bar.
If you are sitting in your grey cubical working on your UML model and hit a road block, for instance, not fully understanding the new international payment conversion system, who will you ask? Those intimate relationships at the smaller organization are hard to come by.
Maybe your cubemates, but they are likely in the same boat as the conversion system just came out of nowhere.
In a large enterprise, communication is complex and full of red-tape; e-mails, conference calls, meetings on top of meetings, memos, document management portals, and so on.
Wouldn’t it be nice to find a single resource that has all the answers?
Our Tentacles are Everywhere
I would suggest that resource is a Security Analyst.
The reason is simple, anyone involved in Information Security needs a detailed understanding around how things work; where the dependencies are, the inner workings of programs and applications, who has administrative control over sensitive information, where the information is being stored, and how clients and programs interact with the data.
Performing threat risk assessments (TRA) involves an intimate understanding of a solution or service. This means everything from the pretty UI right down to the bits of code your development team scribed to make it look that way.
The only way to understand these systems is via detailed communication with stakeholders, architects, business analysts, systems and network administrators, executives, clients and their technical resources, board members, vendors, ISPs, and the list goes on.
Wealthy Resource
If we analyze all the areas of the business a security analyst touches, you will quickly realize that we are a wealthy resource of corporate information that you, the business analyst, should utilize.
Want another example? When there is a virus outbreak like the Trojan.Dropper, there are incident response plans that kick into gear; these are similar to a DR/BCP plan if you are familiar with those.
These plans require business owners to divulge detailed information about how the service, such as a Web 2.0 e-commerce portal, operate; who administers the service, what hooks into it (Identity Management (IDM) service, DNS, Load Balancers), what the service level agreements are, and so on.
A security analyst, and more correctly, the Information Security Group in your enterprise, will have a wealth of organizational intelligence including access to executive and potentially board level members.
Meeting the Mission of the Enterprise
Forming a positive and co-operative relationship with your information Security group is vital, and although they will not be able to release everything to you, (data classification restrictions like need to know, top secret, etc) your access to information often times will be faster and more current through them.
The Information Security group has the mandate to protect the business information assets, and as I have illustrated we need the help of the business, systems, and project analysts, as well as many others, to succeed.
It’s only fair that you come to us when ever you need help, like in the instance of the new payment conversion system.
Tap In
In order to help you tap into this well of knowledge, I have created a list detailing ways Information Security can help, and the types of information you can extract from them.
If you don’t know anyone in the group, break the ice by asking for a copy of the latest security awareness presentation.
After you have read it, start firing aware with your questions, but I suggest you ask in person if you want to get past the boilerplate answers and into the real juicy information.
Who knows, we might have a question or two for you.
| |
What we (the security analysts) have |
Why you (the business analysts) want it |
| 1 |
Threat Risk Assessment Reports |
Often InfoSec finds the same vulnerabilities in the various enterprise projects because they are all following the same processes for building systems or services. Correcting this will save you time in deployments or upgrades, and give you the opportunity to correct a business process. |
| 2 |
Governance Gap Analysis Reports |
InfoSec will often review a business process and map them back to a security policy. If a policy states “all communication must be encrypted” but the process for building a service doesn’t allow for this, there is a gap, and a risk will be identified. Correcting these gaps will improve the enterprise security posture. |
| 3 |
Metrics and Status Reports |
Your group may have metrics or KPI already in place. Our metrics are looking from different angles. Combining/sharing metrics will give the business a more complete and less confusing view of the current status/posture. If you want to learn more about metrics, formulas, and KPI, InfoSec is a great resource as we use them all the time. |
| 4 |
Watchlists |
Keeping up to date with current security threats and events (Like TJ MAXX) will give you an insight into what might require change at your organization. It also gives you icebreakers for when you bump into one of us. |
| 5 |
GPS locations of local bars and pubs |
Having a quarterly information exchange sessions in an informal setting can really help, especially if there is beer involved. |
| 6 |
Policy, Guidelines, and Standards |
These will give you everything you need to get the job done as they set the standard on what the enterprise will allow and how. Instead of staring at the 4 foot pile or paper, ask InfoSec to sit down and give you the nuts and bolts. |
| 7 |
Architectural Documents/Build Books |
You may have access to these from another group, however, often times InfoSec will extend or add to existing documents. For example including the DR site. |
| 8 |
Contact Information |
When you are really struggling to find out the ‘who’ to your questions, ask InfoSec and they will point you in the right direction. |
| 9 |
Google Knowledge |
Have you ever spent hours looking for something on the Internet and came up blank? Infosec professionals are required to be Googlesmiths. We can show you the 101 and beyond. |
| 10 |
Access to Test Labs |
Have you been involved in a project and wondered if an idea you had would work? Or maybe you really want to learn hands on how access controls work. Our test labs are just for you, if you ask nice. (see #5) |
Author: Stewart Allen is a certified Information Security Consultant with over 12 years of experience performing threat risk assessments, penetration tests, and incident forensic response. Acting as Information Security Advisor, Mr Allen is often utilized for magazines like Dark Reading. Many of his published works have been referenced by some of the top industry resources like Carnegie Mellon, IEEE, and the SANS Institute. If you would like to learn more about the author he can be found on LinkedIn.