Originally published at searchSecurity.com, October 30, 2000.
If you are reading this, I assume you are somehow responsible for network or computer security for your organization. Therefore, you understand the problem already.
Being responsible for the network security -- even just some of the security -- of an organization is an exciting and daunting responsibility. There are logs to read, systems to maintain, and -- the focus of today's discussion -- the changing landscape of threats, vulnerabilities, and countermeasures. There's no lack of sources for information, though. And therein is the problem.
At last rough count, I found 10 or more USENET news groups, more than 10 security-related mailing lists, plus all the vendor-specific security alert lists. Even if we did not subscribe and read all of them, it would be like getting over 300 mail messages a day. There are also over 10 magazines (with parallel web sites) dedicated to or reporting on Internet security.
So, first we try to read it all. We subscribe to the mailing lists, newsgroups, magazines, and we set aside time during the day to keep current. And we get behind. Our mail folders fill up, the stacks of magazines get higher, and we look for some free time to get to it. We lug it home with us and read through it there, home being the only place (maybe) where the users, sales people, or managers haven't figured out how to phone us.
We start into our pile of reading and see that we're already 3 months behind. It never stops, and we're frustrated. Also, we've seriously neglected anything that could be referred to as a life. We try ignoring the situation. We toss out the 3-month-old magazines, figuring (rightly) that if it was important, we'd have heard about it already. We'll never get to them anyway. But we cannot just ignore the situation. This is part of the job. Short of despair, what can wedo?
There are some rules to remember and actions we can take based on those rules that will help us regain our life (or have a better chance at getting a life in case we never had one). There are many, but for now let's concentrate on the following three.
1. You cannot do it all 100%, but a decent number of 50% effective efforts raise the probability of you being informed fairly high. We know we cannot do 100%. It is impossible to achieve. We're not setting our sights low, we're being honest. We're being pragmatic. Picking the things we'll do becomes important, since we'll be ignoring or avoiding some other things.
2. "Not All Things Worth Doing Are Worth Doing Well" (Tom Peters' A Passion For Excellence). I know that's not what your mother said, but life is more complicated now. This follows from item #1. Sometimes we can cut corners; sometimes we can skim. And it is just fine.
3. There is such a thing as "Good Enough." This, too, follows from the rule above it. We cannot be perfect. We cannot cover everything. But we usually (often) don't have to. If you put together 5 things, each of which alone is 50% effective, you approach 97% efficacy. Not bad.
So, what do you do with these axioms?
1. Chose a good "news clipper" service. This can be any of many services that highlight security news on a weekly basis. If you received this via email, you're signed up with an excellent one from SearchSecurity.com. Network Computing Magazine and the SANS Institute have weekly mailings, as does The Internet Security Conference and many others. Check them out and find one that "fits." Why not a daily service? I don't think we have the time for daily. Might not we miss something important? That's why we do other things.
2. Sign up to get all security alerts from the vendors whose products you run. Their web sites or support contacts will be able to get you connected.
3. Sign up to get alerts from the Computer Emergency Response Team (CERT). They are a taxpayer-funded, central clearing house for cyber-incidents.
4. Sign up to get one or two monthly magazines that concentrate on security. I'm thinking of Information Security Magazine and InfoSec News. If you have time, add a weekly Internet magazine or two (but I bet you don't have time for them).
What about news groups and other mailing lists? Read those only if you have the time and can learn something. Realize some lists have more chaff than wheat. If you do sign up, plan to assess their usefulness every so often. Don't forget that the goal was to keep current while still having a life.
About the author:
Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in computer and network security, and dedicated to improving the state of corporate and Internet security through education and testing. You can reach him at http://www.avolio.com/.