Home Ownership and Infosec Risk Management

A little over two years ago, my partner and I moved from a condo to a single family home. While we’ve enjoyed many aspects of owning a home, there have certainly been challenges. In short order we repaired a shattered sewer connection, put on a full new roof and gutters, replaced the water heater, conducted major insulation and window work…well, you get the idea. Throughout all of this I’ve had a running thread in the back of my mind about the parallels between owning an older home (ours just passed 100 years in age) and information security. Two years in and it’s finally time to put a few thoughts down.

Situational Awareness

When we bought our home, we went with a trusted home inspection. This turned up a number of issues and we were able to move forward with the purchase process knowing what we were getting in to. On the infosec space, unless you are starting out with a true greenfield environment, a risk manager is going to be dealing with lots of baggage in architecture, processes, and cultural aspects. Having a good awareness of where your issues lie is foundational to engaging in managing them effectively.

Prioritization

Seattle is a hot housing market and we bought in near the top of our financial budget. We didn’t have a lot of funds or energy to take on a full house renovation. As we settled in, we prioritized our efforts into things that kept/made the house structurally sound, improved our comfort, improved cost efficiency, and general livability. We’ve still only barely begun on the aesthetics items (oh, how I want to do a full house pain job!). In infosec, making trade offs between the things that you’d love to take on versus the more mundane but more impacting issues are par for the course. I’ve seen far too many security professionals get distracted by shiny blinking boxes when what was needed was basic relationship building and understanding the business.

Neighbor Effect

Living in an urban village area, we have a mix of single family homes, apartments, McMansions, and duplexes around us. In fact, it was that diversity that attracted us to this neighborhood. Our property value and, more importantly, our community, is impacted by the actions of our neighbors. Folks around here try to lend a hand in looking after each other’s property over vacations, joining together to rake up the leaves that always seem to fall all at once, and generally being good neighbors. Similarly, the security posture of an organization is deeply affected by the posture of all the vendors, consultants, and other parties that contribute to that organization.

Living in the Now

The list of home improvement projects I’d like to carry out is long, is longer than when we first moved in, and will probably be equally long whenever we eventually leave this home. That drives a list oriented and completion obsessed person like me a little batty at times, but I’ve come to terms with all things being somewhat imperfect. Similarly, infosec management is an ongoing process rather than a state where you finally have all your assets cataloged just so and your controls lined up with military precision. No matter how much you work on your program, there are always new areas to explore, old ones to burnish up, etc. It’s important to understand your risk tolerances (or your household/corporate budget) and invest an amount that is appropriate for your aims.

Expect the Unexpected

Right before heading on an extended trip our fridge went out, causing a frantic 24 hours of calling around for parts and trying to find open stores. In the end, while we had to toss a lot of food away and had a bit of a clean up project when we returned home, we still managed to go on our trip without too much hanging over our heads. In infosec, despite your best intentions and plans, stuff will go pear shaped every now and again. Adverse events cannot (reasonably) be prevented and a response plan that recognizes that incidents are not the result of individual failure, but part of the chaotic beauty present in life will keep your organization, employees, and customers much better protected than an unrealistic hero complex that you, and you alone, can Defend All the Things(tm).