Interesting news article about some of Boeing’s problems.

This is an industry problem, one that we don’t talk about too much, and the heart of it is that it’s hard to manage security in huge organizations. Sure, there is the infosec frameworks like 7799/27001, FISMA, etc. If you look at the fairly undeveloped pieces of security, you’ll notice some trends:

• At the tactical level, we know vulnerability scanning, exploit writing, and hardening standards.
• At the operational level (Army sense of operational–we’re talking brigades and divisions here), we have risk management, certification, and my favorite whipping-boy, compliance.
• At the strategic level, we have enterprise architecture, inventory management, and capital planning.

My opinion, and it’s purely opinion, is that as you progress up the ladder to strategy, there is less and less of a knowledge base and a higher rate of opportunity for charlatans. But then again, it echoes IT management in general–everybody knows how to build a fairly secure server, not a whole lot of people know how to manage IT infrastructure for 75K users.

Purely as a sidenote, ISM-Community is working to be a player in the operational and strategic area of security, I’m just trying to figure out how to get more people involved.

• Core Belief #4 — Compliance is a Dead-End
• Lousy Security Advice
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Build a Security Program