I have been a CISSP for a year and figured I should utilise / engage with the community.
One of my biggest blind spots in all things security is knowing what the options are when it comes to low level controls. A lot of this is experience but I wondered how other architects / IA brethren dealt with the problem.
For example. security boundaries. I come from a Cisco background, so will always gravitate towards Cisco Firewalls, but times change and I know there are other options, which may be more suitable. FIrewalls are complex products, so I can't assess them all especially when time is limited. What the industry seems to need is a "Which" for security software, appliances ,etc.
The scope of the challenge goes beyond firewalls, it difficult to know what the options are year on year, with AV, DLP, proxy products, SIEM and monitoring products, cloud security controls, data encryption at rest products, data destruction, IAM, 2FA, VPN products, the list goes on and on...
I'm not without tools, and here are some approaches I use:
- Looking at Gartner for industry trends
- Talking to others in IT about their experiences
- Googling reddit for short listed products to see wider real-world experiences and opinions
- Looking at common criteria assessments. i.e. https://www.commoncriteriaportal.org/products/
- Contacting Vendors directly for more information
- Using common sense (particularly around Vendor maturity and risks)
these are all effective. But I'm interested to know how others approach the problem and any tips or useful sources for making better decisions..