It’s the Forest – Not the Trees

“Back in the day” (a phrase that amuses me due to its generality yet allusion to specificity–but I digress) when you needed to order office supplies you had to visit the supply room. When you needed additional raw materials you had to submit a materials request form. Need the latest sales figures? Call the sales department. In order to perform a risk assessment of these “systems” the security practitioner rarely had to travel outside the corporate walls. And this was fine for the aforementioned “general/specific” time in history.

We do things a bit differently in the 21st century. Many organizations have agreements with suppliers, distributors, data collection agencies, etc. so that identified follow up action is available from your company Intranet or is accomplished behind the scenes. For example, many grocery stores have electronic connections with their suppliers, distributors and shipping partners throughout the supply chain. This allows for a more efficient process of ordering and receiving items as they are sold to consumers. Need office supplies? Go to your Intranet, click on office supply request, punch in an authorization code and select your items. They will be included in the next delivery date–you can even check the status of an order.

Now suppose you have been given the task of performing a risk assessment of your inventory process. If you were to only look at the systems within your corporate walls (as you did in the “old” days) a significant amount of risks could go unidentified. Looking at it abstractly, your corporate walls are merely one tree in the forest of your inventory process and you can not learn about the forest from one entity. You need to be able to examine the whole forest, perhaps one tree at a time (a lengthy process but my point is made) but from one end to the next.

When looking at the entire forest (inventory process in this case) some questions that should come to mind include: How are your partners performing security on their end? Are they sharing authentication credentials among their employees? Do they practice configuration control? What happens to the data they receive from you? It is very difficult, if not impossible, to gather this information from only looking internally at your systems (one tree in this example). Perform a risk assessment (or audit, scan, etc.) against the entire system and not just one piece. More expensive? Probably. Take longer? Typically. Systems in the forest not under your control? Most definitely.

But all of these issues can be addressed through budgetary, timeline and contractual agreements. Money and time issues are fairly easy to understand while the more difficult part will be working with partners. Maybe you can share the costs. After all, a risk assessment can only help their security posture–and possibly marketing–not to mention strengthen the relationship.

My point being, however the details are worked out, performing an assessment, audit, etc. against one part of your system can lead to a false sense of security and thus disaster. Security functions such as these should take into account the whole forest and not just a few trees.