Our editor-in-chief for the blog, Helena Brito, asked me to outline some of the topics I'll be discussing on M-unition this year. As our Chief Security Officer I keep one foot in the world of client concerns and one foot in the world of company concerns. The dual nature of my work helps shape my perspective of security issues.
One topic I will discuss this year is treating incident detection and response as a business process. Incident detection and response are tasks that one performs infrequently. Rather, they should be ongoing, repeatable, and measurable.
Speaking of measurement, I will discuss the two key metrics in incident detection and response. In my opinion every security program should begin with two key metrics and build on that foundation. As a preview, I favor measuring outcomes over inputs.
At RSA 2012, and in the security echo chamber thereafter, many people discussed whether or not security teams are "winning." Therefore, I will talk about defining the win and why that matters. Although the state of security doesn't seem to be good from my perspective, using the proper outlook concerning the game will influence your perspective.
Another area of interest is maximizing the value of security personnel. One theme you will hear me repeat is scaling your experts. Most organizations do not have the budget or scale to hire teams of security professionals. How do you get the most from the one or two people you may have on staff?
A related personnel issue involves talent development. If you're going to have any chance competing against digital adversaries, you need people and not just technology. The best people want to continuously improve themselves, so I plan to share some thoughts on this issue.
Finally, I will devote one or more blog posts to models of incident detection and response. I find many security teams pursuing older or more traditional models, despite the tools and tactics available to be more effective and efficient. We don't have the luxury to take weeks or longer to find and contain intruders, so I plan for this information to be timely and actionable.
What other areas would you like me to discuss here? Please let me know.