My latest article in Security Current, No Book to Be By, mentions that when it comes to security, there’s no such thing as “by the book”. But I don’t go into it in that article. There I am writing about how a task-based CISO (i.e., a PM promoted to the role) might be the worst move an organization can make when they are faced with a list of remediation steps from a regulator, auditor or consultant.
I knew when I wrote that that I was seemingly at odds with other things I’ve written. In this blog, I’ve praised the NIST Cybesecurity framework; in Security Current, I’ve praised frameworks in general. So, when I write “there is no book,” am I contradicting myself? Maybe I just wrote that because it allowed me to have the catchy alliterative title to the article.
For a writer to admit he was seduced by alliteration is basically admitting that they throw meaning out the window when they encounter shiny objects. I won’t admit to it. Truth is, I thought long and hard about the statement and the title.
What it came down to for me was the distinction between tactical and strategic behaviors when it comes to Enterprise security. This may seem counter-intuitive, but I think it is different for Information Security strategy to be set by non-infosec types than for those types of people to lead the tactical efforts involved.
Strategy takes frameworks (at least one). It requires that there be a “book” to go by. But tactical remediations will be insufficient if they rely solely on any list. Since the article was about tactical remediation and how it is implemented on a day to day basis, I feel confident the statement “there is no book” is a sensible one.