To end a fine day, let’s continue through the Securosis Guide to the RSA Conference 2010 and discuss something that has been plaguing most of us since we started in this business: security management.

Security Management

For the past 20 years, we’ve been buying technologies to implement security controls. Yet management of all this security tends to be considered only when things are horribly broken – and they are.

What We Expect to See

There are four areas of interest at the show relative to security management:

  • Log Religion: Driven by our friends at the PCI Security Standards Council, the entire industry has gotten the need to aggregate log data and do some level of analysis. Thank you, Requirement 10! So at the show this year, we’ll find a log management infestation, with a new vendor poking out of every nook and cranny to espouse a new architecture, disruptive pricing, or some other eye candy. And yes, you do need to collect logs, so focus your efforts at the show on figuring out what is the best fit for your organization. Are you just collecting logs, or do you need to correlate and alert? What are your volume and scalability requirements? What kind of reporting do you need? What about integration with the rest of your infrastructure? The point here is not to make a decision but to establish a short list of 3-4 vendors to dig deeper into after the show.
  • Platform Mentality: Since security management is supposed to make your life easier, you don’t need to be a genius to realize that having a management console for every device type in your network doesn’t make a lot of sense. So you’ll hear a lot about SIEM + Log Management + Configuration/Patch + Vulnerability + Network Flow = Nirvana. To be clear, management leverage is good. Getting it by adding even more complexity to your environment: not so much. So to the degree that you are ready to start integrating management disciplines, focus your discussions on migration. How do you get to the promised land? Which hopefully doesn’t involve a truckload of high-priced consultants to do the ‘customization’.
  • Risk Mumbo Jumbo: Risk is likely to be a hot topic at RSA as well. The more mature security programs have figured out that ‘security’ means nothing to senior management, but C-level folks get ‘risk’. Unfortunately, there are no accepted mechanisms to define or quantify risk. So when a vendor starts talking about “risk scores” you should focus on the amount of effort to get a risk model set up and what’s required to keep it up to date. You can’t go down to Best Buy and get Risk Management in a box, so the question is how much effort you are willing to put in to show a graph – which may or may not reflect reality – to the CFO.
  • Operational Efficiency: Finally, you’ll likely hear a lot about improving the operations of your environment. That was a major theme last year in the depths of the recession, but the issue hasn’t gone away. This plays into the themes around integration and platforms, but ultimately there will be a number of niche tools (like firewall policy managers) designed to make your operational teams more efficient, saving money. Depending on the size and/or maturity of your security program, some of these tools may yield value. But adding yet another widget isn’t a good thing unless you can redeploy resources onto other functions by taking advantage of automation.

For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network SecurityData SecurityApplication SecurityEndpoint SecurityContent Security, and Virtualization/Cloud Security.