Our Vision
The security landscape continues to challenge individuals, governments and corporates alike. The number, intensity and variety of threats more often than not render existing measures obsolete. Many of the established deterrents in use today are based on technology developed 10, 20 years ago during a time when the world was quite different.
At MSSL we have always led the way in bringing leading edge security solutions to market. We pioneered MSSP’s bringing Counterpane to the EMEA market. We were one of the first Sourcefire partners in EMEA, the commercial organisation behind Snort. We provided training courses in log management and became the first partner in EMEA to represent Addamark (later SenSage) at a time when log management wasn’t viewed as essential as it is now. We held the first network forensic courses and were appointed by NetWitness as their EMEA development partner. We were appointed by Foundstone as a distributor to help them drive their expansion into EMEA.
Back in 2002 we introduced the idea of a multi-dimensional approach to information security. We were warning our customers that their focus should not just be on the external threats but also those posed by the “trusted” insider. Since then Sourcefire has introduced a 3D system and McAfee and Symantec have both acquired companies in a bid to offer a complete information security package. Even Checkpoint now talk about 3D security.
MSSL continue this pioneering spirit by focusing on what we consider are fast becoming the key security issues of 2011 and beyond:
The position of information security in organisations and the level of business acumen amongst those working in the sector.
Greater awareness of the myriad of new security technology available.
End-user security awareness communication and training programmes that are interesting and informative.
Holistic information security services that deliver real benefits, are precise and cost effective. The likes of pen-testing, for example, shouldn’t simply be tick-in-the-box exercises.
MSSL holds strong views on the way information security is currently structured within the majority of organisations. We believe that security is about protecting assets. In regard to information security we are talking about digital assets- data. The responsibility for data assets ultimately lies with the board directors of the organisation; however, that responsibility has been shouldered by the information security team leader.
Responsibility for security is placed on the information security team leader but without the authority needed to implement appropriate measures and controls considered. Security isn’t like other areas of the business, there are imperatives that need to be addressed and can’t simply be shelved pending future funding. Security personnel do have to take some responsibility, however, for not articulating key security issues more forcefully in the form of a solid business case.
Rather than talking about security we should be articulating the importance of protecting digital assets. We need to define and communicate what these assets are, why they are important, what their relative values are and what the risks are? Once we are able to value these assets they become more tangible, underlining the importance of security. Focusing on the financial worth of and risk to digital assets automatically accentuates understanding of the need for security.
In reality security staff have limited control over the key asset they are responsible for protecting – data. They may set standards and policy, indeed they should set standards and policy but without monitoring mechanisms in place, they can’t adequately police policy.
They don’t control how or where data are stored.
They don’t have the ability to control access to data, when, by whom, from where, etc.
They don’t define what data are stored, in what format, for what period of time.
In large organisations corporate auditors are charged with policing security policy and in most cases do a good job in highlighting architectural and procedural issues providing they have the right tools. Donald Rumsfeld articulately highlighted the issue facing both security people and auditors although at the time he was referring to the so called ‘War on Terror’.
"As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know."
Donald Rumsfeld -- Feb. 12, 2002 news briefing
Organisations must have a security strategy and plan that clearly identifies the issues, the implications and the required infrastructure. This strategy and associated plan must be kept under constant review and modified to reflect operational conditions. It should be forward thinking and map against the corporate strategy to ensure cohesion and future-proofing. The cost of implementing the strategic security plan has to be calculated and finance put in place. A significant contingency should be applied to the budget to cater for any unforeseen circumstances that may require immediate action. Security is an essential cost of doing business, like paying taxes; it’s not a nice to have.
Organisations always have to weigh up the level of risk that they are prepared to accept as part of everyday business. It’s the boards’ responsibility to make risk assessments and thereby accept the consequences. Security professionals must be able to advise the board on the implications of any decisions but ultimately it is not their responsibility if things go wrong.