Carsten Fabig, Vineyard Management Consulting GmbH, about actual IT Security trends and frameworks.

1. Mister Fabig, why have you and your company gone deeper in the special topic of the IT Security Management?

Well, as far as the core of the Vineyard Management Consulting service offering is concerned, this topic was not actually accelerated. But then it just simply caught me, while being part of a client’s project. This means I was actually approached, based on our Complexity, Process and Project Management competences, and asked if I could support a Data Leakage Prevention initiative. And that is how the first Security project has been started for me, through which I built large Security know-how and in the meantime years of specific qualifications.

2. What attracts you in the IT Security Management challenge?

I think, it is one of the top IT trend topics that will keep us on a long term still occupied in the business but also in the private sphere. Often, the only thought in the first step are the tools, but through the utilization by the first users, that is when the true change challenges starts for the organization at a glance.

3. From your point of view, are the companies currently correctly established?

Meanwhile, based on the acknowledged importance, all companies have the challenge of finding qualified staff. On the one hand, there are not enough trained professionals available, while on the other hand the providers of critical infrastructures attract accordingly the additional specialized forces in their projects.

4. Which are the trends which appear on the horizon and which of those are already actuals challenges in your present consulting projects?

With the increasing number of cyber-attacks, which are now also communicated to a wider public via the press, the call for an effective and efficient Incident Management and special threat intelligence teams will of course become louder. This is the point where automatization just really starts to kick in, but there is still the challenge to filter out the false alarms in the data set. The best match between technology and people needs to further improved. Furthermore, the transparency of the security level of the organization is an ongoing issue, the key words here being the Key Compliance Indicators (KCIs) and the compliance check tools.

5. Which IT Security initiatives are generally prioritized by organizations with limited resources and budget cuts?

The topic Data Leakage Prevention has entered the race again. In this case, this applies firstly on how to classify the criticality of the organization´s information: first manually, then automatized at a later stage. Right after, the Privileged Access Rights Management represents effective network segmentation and the hardware and the software inventories development in their relation with the Patch Management, are as well accordingly highly prioritized.

6. Which IT Security frameworks should the customer use? Which are particularly close to implementation?

Typically, the companies in Germany are currently ISO certified and align their Management Information Security according to ISO27001/27002. Since the subjects with the existing line organization teams can usually hardly be fully processed, it is often helpful to develop a suitable framework for the company and of course to use sources such as COBIT, ISO and SANS as Input and focus in a specific area. Precisely SANS20 is not a holistic approach, it concretes the implementation, therefore but only with certain technologies.

7. SANS20 is currently in IT Security on everyone´s lips. What changes have now been made to the current version 6.0? How are these to be evaluated?

SANS20 represents an enormous guidance help due to its priorities and implementation level particularly for small and medium sized companies. The new version 6.0 which was made public on 15th of October by CIS (Center of Internet Security), has made significant changes to the priorities of the 20 individual focus areas. Here is the first step to name the sharp downgrades of security monitoring and a controlled Privileged Access Rights Management. Additionally, a new focus field has been introduced, which immediately addresses the data leakage risks and aims in this respect to make the configuration and use of email systems and browsers safer. Also, not surprisingly, the process for secure software development has been downgraded, since the use of third-party purchased software continues to rise and these risks attributed to gaps in patching as well as encryption and authentication procedures can ultimately frequently be traced back.

8. Many German companies continue to heavily rely on ISO27001/2. Do you see this as a contradiction to SANS20 or do you see perhaps this orientation as backward?

No, this is certainly no contradiction. The frameworks are complementary. In SANS20 there are many organizational and procedural aspects that are almost not covered. It is therefore right and proper to set them according to the general management of information security in ISO and COBIT. Particularly with regards to the “non-IT channels” such as voice and print, corresponding awareness is needed, for which SANS20 does not hold the right answers.