Take A Census
powers-old-account 270000NC1K Visits (1840)
The Fierce Government, "the Government IT News Briefing" site, posted a story titled "Federal CISOs remove the 'human element,' focus on known risk" about an Information Week sponsored event called the "Government IT Leadership Forum." The story lede focused on calls to focus on solving security problems "at scale." By that they mean if you have a large scale security problems, don't try to solve them with solutions that only work at small scales. In particular there was discussion about how relying on people to directly address shoring up security vulnerabilities doesn't scale. The emphasis should instead be on large scale automation of security management. Hey, no argument from me and I'll kindly point you to IBM's acquisition of BigFix for exactly that same reason.
But the story that from that conference that actually caught my eye came from the US State Department's Chief Information Security Officer, John Streufert.
As described, it sounds like Streufert didn't follow the usual definition of risk = likelihood * impact. Fine. Whatever. What impressed me is that rather than starting with a laundry list/control set like FISMA, he actually took a "census" of his known past incidents. That enabled his department to put a prioritization method in place and vastly improve their patch rates, especially for remote, overseas offices.
The strategy cuts both ways of course. On the one hand, people can argue if you stay too focused on just your past incidents, you're likely to miss other big vulnerability areas that haven't been exploited yet. So you need to conduct a through risk analysis and standard control catalog like FISMA. On the other hand, if you look at a standard control set and take the approach of trying to implement all the controls everywhere, you'll never be done and you might not have the attention span/resources to address the most basic known issues.
The "Take a census" approach to prioritizing vulnerability mitigation work will help offset the security control laundry list trap we fall into sometimes.