ISSA International Conference 2018: Implement DoD-level security

The ISSA International 2018 Conference offers solutions for complicated privacy risks, and consultant Jeffrey Man counsels execs to take the DoD's approach to security maintenance.

ATLANTA -- One of the declarations made clear at ISSA International Conference 2018 was that basic, preexisting security measures are no longer adequate to protect advancing technology -- companies must instead turn to innovative solutions to maintain security infrastructure.

One interesting idea: Take lessons from the Department of Defense (DoD) for corporate data security. Jeffrey Man, a senior infosec consultant at Online Business Systems, presented a session at ISSA International Conference 2018 where he provided concrete tips to taking the DoD's approach -- even for companies that scoff at the idea that they need this maximum-level cybersecurity.

Man certainly spoke from experience: During his more than 30 years in computer, network, and information security, he held various security research, management and product development roles with the NSA and the DoD, as well as private-sector enterprises.  

Write things down

He advised that companies start with identifying what, exactly, makes their network insecure. Man cited a list of common vulnerabilities, including decentralized administration, lack of resources and no written corporate security policy that every employee -- from CIO to admin -- could follow.

"A lot of companies in the commercial world have never sat down and struggled with the question 'What are our goals for security?'" Man said during his ISSA International Conference 2018 session, titled "Does DoD-Level Security Work in the Real World?"

Part of the DoD commitment to security begins with developing goals and strategies to protect data. What data is vulnerable? What data is most valuable? If you are responsible for protecting PII and consumer data, parse out how this data will remain confidential, secure and legitimate. 

Man urged that companies consider technology only part of their security policy -- outlining goals then choosing programs that support your company's infrastructure, not the other way around.

"Information security starts with understanding what your goals are, your approach is, and then you start talking technology to pick the right tools and solutions," Man said. 

Use the DoD risk equation

The DoD, in an effort to create a simple method of assessing risk, created an equation to outline how to assess risk to data, intellectual property and personal information, Man said. The formula states that risk is a function of vulnerabilities and threats that must be offset by countermeasures or security.

"When you apply risk to a commercial company, you're talking about making money, minimizing cost, and [protecting] corporate reputation," Man said.

Jeffrey Man is a Sr. Infosec Consultant for Online Business Systems.
Jeffrey Man, information security expert advisor at ISSA International Conference 2018.

Analyze each portion of the equation separately, Man said. How is your company handling vulnerabilities? Monitoring existing and future threats? What countermeasures have worked in the past?

Every element of the risk equation has a cost, and companies have to analyze where their IT budgets are going -- and how effective those investments are. Trying to secure data using security systems that seek to eliminate vulnerabilities without stacking up appropriate countermeasures, for instance, creates weaknesses in security, Man said.

Build layers

While security-in-depth is not a new idea, Man told the audience of ISSA International Conference 2018 that layers of protection to security is a DoD-centric approach most companies can implement very effectively.

"If you are focused, you start to protect information in layers and depth -- not necessarily on just a technical level," Man said.

There are [security measures] in the DoD that worked, that were learned over generations of trial and error and failure, and can apply to the whole private corporation.
Jeffrey Mansenior infosec consultant, Online Business Systems

The DoD layers consisted of both technical and "perimeter" security. Alongside data security technology, the DoD also implemented a rigorous perimeter security system consisting of alerts, employee education and implementing what Man called a "culture of security."

It's important to make employees understand that what they do matters when it comes to protecting the security goals of the organization. While transparency and security don't often go hand in hand, corporate execs need to maintain a company-wide understanding of security measures, he said.

"Everyone in the DoD understood what all the layers were, understood why they were there and important and why they needed to follow the rules," Man said.

"They knew there was no taking shortcuts because that would cause a weakness and create a vulnerability that might someday get exploited."

Security lifecycle

Man urged execs to not treat security as a one-time investment of energy, time and money, but instead to create an ongoing, systematic approach that changes with industry requirements, federal legislation and evolving security breaches and risks.

"Security is a verb," Man said. "It's something you do constantly."

This lifecycle begins by considering the goals of your company and assessing where you are in the process, Man said, and urged the audience to adhere to the DoD's first principal: "Write it down" to document the company's privacy and security strategy. This leads to easier evaluation and the ability to make targeted changes.

"There are [security measures] in the DoD that worked, that were learned over generations of trial and error and failure, and can apply to the whole private corporation," Man said.

Dig Deeper on Risk management and governance