Strategy Before Tactics
If you have no defined strategy then what ever tactics you employ probably won’t meet your goals. How many of us in the information security business bought a product, tool, policy or process from a company because we needed to meet a legal requirement, a passing interest in a neat new toy, or a recommendation from a group or consultant without really visualizing how it will fit into our strategic and tactical goals for the company? Evaluating technology can be fun, but when looking at a business reason for doing a thing, how does it fit into the strategic vision of the company, and then what tactical exercises will be required to make it part of the day to day processes in the company. If you purchase an IDS system, what business problem are you trying to solve? Noramlly the answer is (regardless of HIDS or NIDS) track, trace, and in some cases eliminate both an external and insider threat to company assets and data. This strategy works for Anti-Virus, spy sweepers, and other systems that use rule sets or anomaly detection to discover someone doing something bad. If you purchase a security enterprise management system, what business problem are you trying to solve? The answer could be "I have 4 different types of systems, VPN, Firewalls/Routers, HIDS, and Event logs, all create data that is stored on 4 different points on the network. I need a system that will collate and report on all of these data points, and allow the organization to do work more effectively than it is currently doing." These are good strategies, I am buying a technology to solve a problem, or solve problems. These are strategies that can end in an ROI, for example, before AV and Anti Spyware, the security department and help desk spent X hours a week fixing issues. Since AV and Anti Spyware, the security department and help desk spent Y hours a week fixing issues. That decrease in man hours spent should equate out to an amount more than what was spent on the technology depending on anatomization of the technology costs. Tactically though what do you have to do with AV to make it work day to day. The help desk has policies and procedures on what they need to do. These are day to day tactical works that are required to keep the system up and running. The Security Department has policies and procedures on what they need to do, like containment, follow up, generation of policies, upkeep of policies and procedures as AV interfaces change. This same line of thinking can be used on just about any project that any department wants to buy. Even if the regulatory environment indicates a series of steps or technology types that should be used. If you need to do SOX compliance part of the strategy steps would include the requirement for SOX compliance. For tactical compliance there would be:
Getting the right strategic framework around what you want to solve, and then developing a suitable tactical solution to the strategic goals will help make the project more successful. Rather than many systems in a company that do like or similar things, going back and evaluating the technology you have, in comparison to the technology that you already have, in comparison to the strategic goals for the company, and then how it will be implemented on a tactical level.