Immutable Security Laws For The CCO – #7 – The Well-Administered Network

I recently had the chance to hear David Glockner, Director of the Chicago Regional Office, speak on IT Security and have a few words with him on the subject. The Chicago Office, of course, led the effort on the R.T. Jones case, which is widely misquoted as the “first Cybersecurity and IT Security enforcement.” The SEC has been taking advisers and broker-dealers down the road of Regulation S-P and related failures of the Safeguards Rule for years. While Mr. Glockner indicated that we can expect OCIE to continue to educate itself via the sweep programs, he emphasized that lack of process around Cybersecurity could be the biggest problem for Investment Advisers.

Mr. Glockner discussed two points which should be understood by the CCO and the CISO.

  1. Breach does not necessarily equate to enforcement. The SEC understands that breach of client and firm data can occur despite reasonable efforts on the part of advisers. It is really development and execution of healthy process that will keep you in good standing from a regulatory standpoint.
  2. Just because your firm has not suffered breach does not mean you will not be enforced for lack of process when it comes to IT Security/Cybersecurity.

Similar to issues of the Compliance Rule and Custody, failures in IT Security/Cybersecurity do not have to result in damages but absence of process and the failure to implement policies and procedures to create protections will be considered a problem. This is really the story of R.T. Jones: an absence of reasonable process. It’s this process that had me thinking about Scott Culp’s Immutable Laws of Security Administration:

Law #7: The most secure network is a well-administered one.

All of this sensible discussion concerning IT Security in the midst of a maelstrom of confusion over the subject of Cybersecurity got me thinking about the basics. The basics that were emphasized going back to the SEC Cybersecurity Roundtable of March, 2014. “You cannot buy Cybersecurity.” Despite this very sound advice from a few years back, I still see many firms reaching for the most expensive black box – what is sometimes referred to as Shiny Object Syndrome (“SOS”). The concept that purchasing the newest, comprehensive tool or threat analytics applications will “fix the problem” is just wrong for many reasons.

If we are truly thinking about a cost-effective approach to IT Security, I would recommend hitting the pause button before signing the expensive multi-year contract for advanced behavioral analytics. Here are just a few reasons for slowing down the process:

1. Adding complexity to the network, even for monitoring purposes, can be a mistake as you are just throwing more stuff into your environment. Agent-based monitoring, scanning, linking to cloud-based resources to me just sounds like increasing the Attack Surface. In many cases, hackers can identity agents and services, and there have been documented cases of Common Vulnerabilities and Exploits (CVEs) related to installed security agents and hardware on your network. All new devices and agents, also have to be continuously evaluated for vulnerabilities and patched like any service. As Scott Culp of Microsoft has stated, “Security only works if the secure way also happens to be the easy way.”

2. Our client base tends to be Windows-centric due to the heavy reliance on the Microsoft Office suite and the emphasis on documentation/documents that starts from the top, at the SEC. After all, document production is a key component of the examination process, and the Compliance Program and policies and procedures tend to be maintained in document form. We are not Microsoft advocates but there is no question that several tools, native to the operating system and Windows Domain environment, exist and can be used effectively, sometimes at low or no cost that can enhance security of your networks. Just to offer a few examples which should be explored and due-diligenced (new word patent-pending) in the context of any change management process:

  1. System Center Configuration Manager (SCCM) is a central administrative tool that can be tied to end-point updating, antivirus controls, mobile device management and more.
  2. Advanced Threat Analytics (ATA) is improving all the time and offers a reasonable cost approach to behavioral analytics and understanding User activity patterns. There are other advantages here such as reduced invasiveness in the network — no need to install agents throughout the network and perhaps more difficult to detect by intruders. I think ATA is worth considering anytime you are pondering behavioral analytics.
  3. Windows Server Update Services (WSUS) is a patching administrative tool. There may be more elegant solutions with better reporting capabilities, but WSUS can be effectively managed in the smaller environment.

3. Before slapping on third-party products to your network and domain environment, I would recommend slowing down and taking a methodical approach to the process. That methodical approach starts first with the consideration of security and administrative tools that may be native to the operating system and domain environment of your infrastructure. While this may not always be the case, you are likely to see fewer conflicts, less configuration nightmares, and less cost with this approach. Second, take look at your existing vendors, antivirus, antimalware, and central administrative tools that are functioning well. Oftentimes, you can leverage existing vendors for additional security processes such as new services, new Data Loss Prevention controls, and new reporting capabilities. Don’t overlook Microsoft’s native DLP controls for on premise and cloud-based services either.


Some of these control suggestions may be more effective in the small network environment, but we find that many advisers, irrespective of the AUM figure, are running in lean, 10-30 person operations. These are user numbers that, with proper administration and guidance, can be effectively managed, so you may not need the monster enterprise solution.

The point is: don’t add complexity to your environment by layering on third-party services before exploring available options. These notions should be brought to the Information Security Committee and also considered in discussions with your primary IT person or Consultant. Are they (the IT consultants) truly experts in the Windows Domain Environment? Do they discuss with you the practicality and cost-effectiveness of the tools they both use and recommend? The Shiny New Object may be difficult to resist, but sensible and good network administration will ultimately lead to a more secure environment over which you have a greater degree of control.

Note: Throughout this post, I have referenced Scott Culp’s “Immutable Laws of Security Administration.” We will be writing more about these points in the future, but CCOs and CISOs should keep in mind that security can be achieved through common-sense guidance of the process.

10 Immutable Laws of Security Administration

Law #1: Nobody believes anything bad can happen to them, until it does.
Law #2: Security only works if the secure way also happens to be the easy way.
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long.
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with.
Law #5: Eternal vigilance is the price of security.
Law #6: There really is someone out there trying to guess your passwords.
Law #7: The most secure network is a well-administered one.
Law #8: The difficulty of defending a network is directly proportional to its complexity.
Law #9: Security isn’t about risk avoidance; it’s about risk management.
Law #10: Technology is not a panacea.


Scott Culp’s 10 Immutable Laws of Security Administration

System Center Configuration Manager

Advanced Threat Analytics

Windows Server Update Services

Microsoft Office DLP Controls