Was reading Insecure Magazine issue #34 http://www.net-security.org/insecuremag.php and particularly found one article interesting article that stood out “Firness as a security model”. Although I don’t agree with the fitness aspect of the model (I think it should have been professional sports, which fitness is a key piece), I think it is a good model for explaining how a security program should be run. More importantly it gets us away from the cyber warfare model which as the article explains is both overused and fails without an offensive component. Some highlights of the article (along with my own little spin using a sports reference):
1. Running a secuirty program is a team effort and although you may have all-stars on your team, unless everyone works together you wont win any games.
2. To win, you have to practice. All sports programs have this, and so should your security program. Practice individualy and as a team.
3. Train. The article refers to fitness and to be fit you must train. So should your security team; train as you practice as an individual and as team.
4. To be successful sports teams must recruit top talent and have a program to grow younger talent (Security mentoring is lacking IMHO).
5. The team can usually operate on its own but they need a good coach to call the plays – a good coach a.k.a a good secuirty manager. A coach and a manager has to have a thorough understanding of the game and how to play it and how to motivate his/her team to win. Also, they have to be able to analyze and improve when they loose.
6. A team has to have supprt from the owners & general managers (think executive suite of a corporation)
7. The team needs to support and get support from the fans (think other IT departmentsthe security team depends on)
All-in-all I think this is a great way to describe a security program in particular I think the sports reference is ideal for security incident response team. Kudos for the authors for getting it right.