Security Manager's Journal: Road Map Meeting Goes Sideways

Computerworld - Trouble Ticket

• Issue: Its time to come up with a comprehensive security road map, and the CIO wants to control the agenda.


• Action plan: Go along to get along, and get back on track later.

One of my strategic objectives for the year is something Ive actually been looking forward to doing: coming up with a comprehensive security road map. When Ive done this in the past, its been kind of fun. I like to get some people in a room, order pizza and start brainstorming.

If nothing else, this exercise is a good way to identify a wish list and put some dollar figures next to each item. Sometimes it helps you see where the desirable and the doable intersect. To make this intersection easier to spot, Ive started using a software package from San Francisco-based Mindjet that makes it easy to capture the ideas that emerge in the meeting and then organize them into a flow tree. Its a helpful tool for prioritizing and making all costs evident.

As it turned out, though, there wasnt any great need to prioritize what came out of our initial meeting.

Thats because the CIO made it clear right away that he wanted us to focus on network segmentation. I had kept this first meeting small, inviting only the CIO, the senior director for IT and several managers and architects within IT. I had wanted to be able to control the meeting, and I tried to do that by suggesting that network segmentation was indeed one element of a comprehensive security road map. But the CIO wouldnt budge. Rather than spending the entire hour negotiating, I followed his course.

Happily, what ensued was a worthwhile discussion about something that we desperately need. First, I narrowed the discussion even further, to the rule of least privilege. Ive talked about this before, and I believe its the most important concept in security information: You should never give anyone or anything on your network access to anything that they dont need to do their jobs. Anyone can be an individual or a group of people, and anything can be a server or an application, for instance  after all, hardware and software have jobs to do, too, but theres no reason to give them access to any part of the network that doesnt relate to those jobs. It wasnt difficult to get the group to agree to this basic philosophy.

Validation Paths
Next up for discussion: What should happen when employees attach their PCs to the network? We decided that we want to ensure that each PC is a valid company resource. We also want to ensure that each PC meets our standards in terms of anti­virus protection, patches and applications. And we want employees to be able to do their jobs.