I was recently asked to comment on the most commonly overlooked components of operational security. To get the correct answer, sometimes it helps to take a step back and make sure you are asking the right question. The question should be “How do you ensure that your security program satisfies your operational security requirements?” With that question, the overlooked components will be obvious.
Effective operational security requires an immense breadth of knowledge as well as an unforgiving level of technical depth and exacting performance. No one can keep all of the big picture requirements and the associated operational details in their head – so we have to work smarter. By that I mean that organizations need to adopt a comprehensive security framework such as ISO 27002 because it forces them into a disciplined process to reason about all of the major security areas and determine how each applies in the context of their business.
Second, we need help in getting the details right. If you have never read Atul Gawande’s Checklist Manifesto, I strongly urge you to do so. He documents scientific detail in the fields of medicine, air travel, and many others the dramatic improvements in outcomes that can be gained by making sure the details are performed correctly 100 percent of the time (e.g., using a pre-surgery checklist to ensure antibiotic was administered before surgery and the arm opposite the target operation has the words NOT THIS ARM clearly written on it).
The best way to ensure that critical operational security components are not overlooked is to combine a big picture framework with detailed procedures and checklists to guarantee that the simple (but critical) actions are performed correctly 100 percent of the time.
Jonathan is President & CEO of SystemExperts Corporation, a network security consulting firm specializing in IT security and compliance. Jonathan started the company in 1994. He plays an active, hands-on role advising clients in compliance, technology strategies, managing complex programs, and building effective security organizations. Jonathan brings a business focus to this multifaceted work balancing all technical initiatives with business requirements and impact.