Tuesday, September 25, 2007

CSIRT Management: Politics

Network World

Security Strategies




Network World's Security Strategies Newsletter, 09/25/07

CSIRT Management: Politics

By M. E. Kabay

As I mentioned in my last column, I am presenting three articles (this is No. 3) based on the work of some of my graduate students during class discussions in a course on computer security incident response team (CSIRT) management. What follows is the last edited segment based on a summary written by students Mani Akella and Rick Tuttle. Today’s topic is the politics of triage.

* * *

Internal politics are a major consideration for any activity in the organization - especially sensitive functions like the CSIRT.

Straight Talk from Security Experts

Leading security experts share their advice, secrets and real-world experiences in Network World's latest Executive Guide, "The Security Treadmill." Learn how to get inside users' heads, fight for a bigger security budget and much more.

Click here to download this Executive Guide.

Since the CSIRT, by definition, affects the computer operations of the entire organization during the investigation process, the potential exists for them to interact directly with many of the organization’s personnel over time. For somebody not intimately familiar with CSIRT operation, the brief interaction might seem to be more of an abrasive intrusion rather than a genuine effort to help.

This means that CSIRT members need to be consummate service-oriented personnel with well-developed communication skills. In addition to communication, the team members need to be very sensitive to the political nuances within an organization. They must be able to interpret the true import of any statement rather than taking it at face value. To stay true to their objective and be effective in proper incident resolution, CSIRT members must be able to isolate themselves from political influences in their investigative process.

The potential exists for internal politics to cause help desk staff to misrepresent incident ticket priorities; the team needs to be able to recognize such pressure and to present the situation to their management for appropriate action. At the same time, team members need a healthy respect for authority limits. They must be conscientious in not overstepping their bounds without appropriate reason and permission.

The team needs to be aware of the internal drivers in an organization; business objectives must influence triage priorities. For a financial organization, the prime driver will be financial effect; for a military team, it could be team safety or mission objectives that determine priority rather than cost.

For each organization, service offerings are weighted in light of their perceived relation to the primary business. Additionally, the team members must accept that a person's perceptions are their reality, whether or not they agree with the rest. This acceptance helps the team to respond accordingly and appropriately. Each proposal needs a business case. One posting provides the following example from Rick Tuttle:

"What is an industrious network administrator who needs an IPS [intrusion-prevention system] to do? They can take the initiative to test Snort via the freeware route. Assuming good results, they write up a business case to purchase required hardware and software including support. For the operating system, they can choose say either Red Hat or Novell offerings that include support. For the IPS, they can include a Sourcefire quote. But, even if it is the best system at a low cost, it will not fly if the network administrator is the single point of failure in manning the system."

Another important aspect of internal politics vis-a-vis the CSIRT is managing the business teams. During an incident, it is important for the CSIRT to manage not only the technical aspects of the incident but also the personnel representing the various aspects of the business who may have vested interests in following the progress of the incident.

To quote Mani Akella:

"[T]he politics is not in the triage process. It is in managing the business unit at the root of the incident. It’s a natural human reaction to want to protect your turf especially if you are at the root of the problem. These politics can be difficult to manage if people’s jobs are at stake.

"From a disjointed perspective, it could be pointed out that business needs to be placed before personal considerations; however, this never seems to successfully happen in the real world.

"[P]olitics is closely, deeply interwoven into the fabric of our societies. However, in this case, granted that some parts of the 'parent structures' are more equal than the others, and always receive greater priority than the others - would you not accept that (apart from the extreme cases when we hop-step-jump to fix the CEO's son's games on a personal laptop) the simpler problems on the CEO's machine still have greater impact to the organization's working than perhaps a minor server crashing? Anything that has an impact on the parent structures' time has to be, in pure business value, of higher impact than large isolated technology failures."

James Franklin added:

"We could easily venture off into a discussion on political philosophy; I understand what you are saying. However, there is a psychological component missing in the value argument and I'm suggesting it is the psychology and not the value that drives behavior. This is the politics…

"C-Level positions have power. People respond to that power. From inside the company, when a C-level person asks for something the response is immediate and palpable because the C-level has power. That power can make or break a career and it can end a job. From outside the company, the board, stockholders, analysts, etc., may think the C-level person adds no value. Even if that view is held, from within the company people still respond because they want their job tomorrow and they may want to advance.

"Value is determined outside by the market. People inside react to the power. Thus, the politics."

* * *

Mani Akella , CISSP, is President and Technical Director at Consultantgurus, a Bridgewater, N.J., organization focused on providing Information Assurance and Surveillance services to its clients. He can be reached via e-mail. His personal blog is here

Rick Tuttle is a project manager at Sasol North America Inc., a Houston chemical manufacturing company. He manages desktop software deployment, including security patches and updates, and supports the company’s business continuity and compliance efforts. Rick can be reached by e-mail


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Lawsuit charging GPL violation is first ever
2. Daylight saving time issue reappears on IT radar
3. Researchers flash personal aircraft, future jetpack
4. Gartner: Open source impossible to avoid
5. VMware bugs shine spotlight on virtualization security
6. How much does the store owe this PC buyer?
7. Apple’s options for stopping open source iPhone use
8. Gartner touts Web 2.0, scoffs at sequel
9. The end of booth-babe culture?
10. Cisco: A quarter of acquisitions not working out

MOST-READ REVIEW:
VM management tools from Microsoft, VMware, XenSource leave room for improvement


Contact the author:

M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.



ARCHIVE

Archive of the Security Strategies Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment