I've always been a fan of the SANS Institute's Top 10 Vulnerabilities list, even after it morphed into a Top 20 Vulnerabilities list. It's encouraged other useful lists as well, such as the Top 20 Programming Errors and Top 20 Most Critical Security Controls. The OWASP Top 10 Web Application Security Vulnerabilities is just as useful -- and the fact that most of the items on the list haven't changed over the past decade is very telling. These types of lists are great for corralling consensus about what the biggest problems are so that they can be addressed in a focused manner.
My question for you is, does your organization have a top 10 computer security problems list? If so, is the list well known by all members of IT management, computer security staff, programmers, and infrastructure support folks? If you don't have a list -- or if no one else knows about it -- how can you be sure that your IT department is focusing the right amount of resources on the right problems?
I constantly run across organizations that do not adequately address high-risk problems; rather, they get sidetracked into solving midtier problems that are easier to crack. For example, an organization's biggest problem might be that of end-users installing Trojan horse malware. Meanwhile, the company is pouring money and manpower into stopping remote buffer overflows or trying to achieve 100 percent patching compliance -- even though these solutions resolve but a small percentage of the organization's overall computer security issues.
Building a top 10 computer security list for your organization starts with identifying and ranking threats based on the best metrics you have. You should then get team and management approval for the items that make the final list. This forces everyone to affirm and focus on the biggest problems.
Once you've created your list, be sure to communicate it using the normal computer security education methods (such as e-mail, posters, newsletters, and so on) to ensure all the relevant teams are working to tackle your top security issue in their own special-interest way.
Tracking progress is also critical to success. Someone should be responsible for measuring the metrics of each item on the list and delivering a progress report to the larger group each year. At that time, the group should review the list to determine if any problems can be removed and if any newly growing security issues should be added. If metrics grew worse for a particular item, the team will need to devise a new plan of attack, perhaps built around effective strategies used to combat problems that have been knocked off the list.
Once created, your top 10 computer security list will likely never go away; rather, items will move around or be replaced by other more pressing issues. However, this is an idea that gives the organization a means of focusing on the most important ways to reduce risk and to draw a virtual line in the sand to measure against each year.
Good security in recessionary times
A rough economy can be a good opportunity for your company to pay attention to the basics of IT security
The killer app for mashing malware
Security software needs to take a multipronged approach to stopping Trojan horse executables
The one essential truth of computer security
Unless you solve the all-important problem of locking down end-user PCs, all of your other security defenses will fail you