Security Baseline

By this day and age many organizations have already done multiple threat and security assessments for their existing IT environments.  For some busy organizations this then becomes the endpoint; victory is declared and the assessment’s work is then filed away and forgotten, until the next audit is called for, whenever that might be.

When security and threat management is a discrete task, inevitably it becomes part of a continuum of tasks that blend in with everything else the demanding world of IT requires.  Sadly, this then evolves into a serious problem.

When a threat assessment is done, it is a snapshot at that point in time.  Even the most aggressive assessments will fail to assess 100% of the threats, and in the end, subsequent work to mitigate those threats only will deal with a smaller percentage of what was captured and analyzed.  Then, filing it all away for one, two or three years simply compounds the problem.

The fact of the matter is that the threat environment is constantly evolving.  Aspects that were minor concerns two years ago may be headlining issues now.  A security staff, or an organization that feels they are “on top of the threat” may only be kidding themselves.  Further complicating the picture is that if mitigation steps aren’t taken or are haphazard or weak, the erosion continues unabated.  Eventually the negative effects appear.

In reality, a threat assessment or similar analyses can only be considered a baseline at that point in time.  Two seconds after that analysis is completed, the information is becoming stale!

The trick here is to recognize the perishable nature of the information in the assessment, and instead of taking a snapshot, the organization needs to adopt a change in its practices to include periodic re-assessment of the threat environment.

With a small to medium business, this is further complicated by the scarcity of security resources, forcing a situation where many organizations are only weakly defended.  Indeed, “don’t tell me, I don’t want to know…” may seem to be a strategy until a breach occurs and someone answers for the data loss.

Like it or not, Cyber Security is becoming a way of life.  Any organization doing business on the Internet must resolve itself to that fact.

Here are a few things that an organization can do to prevent this situation:

  1. Periodically review and refresh the threat and risk assessment; (Refresh the baseline).
  2. For those threats actively being mitigated, monitor their effectiveness
  3. For those threats on the “wait list”, review whether the environment has changed.
  4. Consult one of the many online information resources focused on organizational cyber protection.  (For example, the National Institution of Standards and Technology (NIST) has a huge library of security standards – their 800- series.)
  5. Don’t be afraid to reach out for expertise in the industry, in fact – having an outside set of eyes look at your assessments and perhaps provide advice is a healthy security practice.

In the end, recognize that while assessing your organizations risk is a good thing, it is what happens afterwards that determines whether it was worthwhile or was simply a waste of resources.



New Blog – “First Light”

In the astronomical trade, “First Light” is a term used to describe the premier of the first fruits of a particular telescope or system’s operation.  The term has been hijacked by writers such as myself to apply also to the establishment of things of smaller import, in this case, my humble blog.

The Risky Undertaking is a blog focused on the areas of Risk Management, Privacy Issues and more recently, the whole question of Cyber Security.  Essentially it will be the voice of my personal consultancy practice and it will be the place where I hope to inform, promote, and also “sound off” on topics of interest in this area.

About myself:

My name is Richard and I am the owner / operator of this blog – –

I have worked in the IT and Security business areas for several decades.  The bulk of my work has been done in the Southwestern Ohio area, but I have traveled and worked at times elsewhere in the US.

My technical interests are diverse and they run the gamut from bread and butter security and compliance work on down to more concrete areas such as programming ARM based processors to do specific “gadget” tasks.

Besides my independent consulting work, I am also a Microsoft partner, a Cisco partner and a Symantec partner and as a result I am also able to sell their products to my clients (present and future).

I should also point out that my personal humor is somewhat dry, along the lines of the old Monty Python skits of the 1970’s, so I apologize in advance if that comes through in my posts.

Why should you come here?

In anticipation of this question, here are a few reasons:

  1. If you are looking for some alternative perspectives on security, cyber and risk topics.
  2. A “little guy’s” view of the industry as it relates to those areas of my interest.
  3. Views tempered by my long involvement with this industry.

I could probably think of a few more, but that should be sufficient for the moment.

Please stay with us in the weeks and years to come and hopefully I’ll occasionally provide you with some good “stuff”.