Critical Mass

A thought that occasionally comes back to me is at what point does the size of a company create challenges that are not - or perhaps cannot be addressed? Where is the sweet spot between too small to actually do security well and too big to have a handle on what is happening at any given moment?

In the small/medium space (say < 250 full time employees) where I have lived most of my cubicle dwelling life there has been understanding/support of some of the security basics such as antivirus/antispyware, firewalls, email & Internet filtering, OS patching, but beyond that it is hard to justify and get buy-in for the budget dollars needed to take things to the next level of maturity. Between the cost of some of the better solutions for IDS/IPS and SIM/SEM/SIEM plus the need for IT staff time/expertise to monitor as well as understand what requires attention and what is just noise is a tall order.

On the ginormous side of the world, how do large global companies address bureaucracy/enormity/complexity with 10,000 plus employees? Thinking about how to manage or even get my puny mind around tackling InfoSec at that scale/scope makes me dizzy.

I have no answers on this topic, only more questions.

Image courtesy of Wikipedia article on Complexity Science:
http://en.wikipedia.org/wiki/Complexity
&
http://www.art-sciencefactory.com/complexity-map_feb09.html
(Very cool t-shirts here.)

Watching the Watchers

At the March meeting of the Grand Rapids ISSA the topic of accountability was raised. The idea being that InfoSec professionals and most IT staff have a lot of access/permissions/etc. A necessity to a degree, but in small/medium shops which is where I've spent most of my working life so far the fact is that there isn't much in the way of firm policy and procedures around checking on other IT staff or other employees within the organization.

No easy answers here, and there is a basic degree of trust required in any org for anything to get done. I am not at all pro micro management but at the same time it seems there needs to be some intentional attention given to keeping each other (i.e. IT dept peers) on the right track. Just because I have access to sensitive information such as payroll (how much does that guy make?) and HR documents (did she get written up for that one thing) does not mean I should give into my own curiosity. Least privilege is a wonderful thing but seldom do smaller departments take this to the degree that is needed, and it is a real PITA managing perms when roles and needs change. Most stuff is more open then it perhaps needs to be simply b/c everyone is spread thin and fire fighting the majority of time.

This one made me go hmm a few times in the last couple weeks.

Well, the sun is shining and it is time to get some fresh air. Then head to the library to start writing a paper for my DU class.