"'What is really happening is the head of security is losing control over the security agenda, which is being co-opted by audit and this umbrella of controls...
The ability to decide which security projects get funded is being taken out of the security officer's hands...
This focus on regulatory issues is causing a loss of control over the security agenda, which is being pushed and dictated by the audit and controls group and meeting the requirements of the regulation."
I see this focus on "controls" as more of the "prevention first and foremost" strategy that ignores the importance of detection and response. I had this reaction when I saw Dr. Ron Ross of NIST speak at a recent ISSA meeting. The NIST documents seem to focus on prevention through controls, and then they stop.
The unfortunate truth is that prevention eventually fails, as readers of the blog and my books know. While researching the Institute of Internal Auditors Web site, I came across this article which supports my theory. Here are the findings of Does Risk Management Curb Security Incidents? in brief.
- Are organizations that have conducted an information security risk assessment less, more, or equally likely to have a documented information security policy? Yes.
- Are organizations that have a documented information security policy less, more, or equally likely to implement system security measures? Yes.
- Are organizations that have a documented information security policy less, more, or equally likely to implement information security compliance measures? Yes.
- Are organizations that have a documented information security policy less, more, or equally likely to have an information security awareness program? Yes.
- Are organizations that employ information security compliance measures, an information security awareness program, and system security measures less, more, or equally likely to experience security incidents? An analysis of variance (ANOVA) test failed to support the hypothesis (H5) that businesses that employ such programs and measures suffered fewer security incidents.
This is pathetically amusing. So, perform a risk assessment, document security policy, be compliant, teach awareness, and still be 0wn3d. It seems to me that, at the very least, some attention needs to be paid to the detection and response functions. Otherwise, a lot of money will continue to be spent on prevention, and organizations won't be any more "secure."
PS: The reference cited by the IIA article is available here. I originally visited the IIA to learn more about their Global Technology Audit Guides.