Just Fix It: The Dilemma of an Information Security Professional

Mike Thompson

Mike Thompson is the Director of Information Security Products and Services at Linus Information Security Solutions. Mike’s expertise lies in bringing IT and the Business together to improve Information Security outcomes. He has over 25 years of experience across numerous government, commercial and not-for-profit organisations, and is recognised as an ISM expert with the rare ability to articulate complex issues and concepts in plain language and business contexts. Among his many projects he has uncovered computer fraud, ethically hacked a number of organisations, worked as an official adviser to the Victorian Privacy Commissioner and the Victorian Law Reform Commission and designed and developed award-winning software solutions.

Do any of these lines sound familiar?

• “I just read about this serious vulnerability. Are we OK?”
• “How did this happen? You assured me we were secure.”
• “We already spend $$ on security – why do we need more?”
• “I don’t understand any of this cybersecurity stuff. Just fix it.”

For those of us who work in Information Technology and Security (ITS), the answer is almost definitely ‘yes’.

As the security industry and mainstream media continue to fan the flames of fear, uncertainty and doubt surrounding ITS, company awareness and paranoia are reaching unprecedented levels. As a result, many company directors are acutely aware of their responsibilities concerning Information Security—just ask the ex-CEO and ex-CIO of Target.

When a security problem arises, the reaction from ‘the business’ is, in many cases, perfectly predictable. “Get the ITS team to fix it.” But this is a purely reactionary solution, one that does not speak to the requirements of the business in any way, shape or form.

Armed with the fix it solution and a limited understanding of your businesses requirements, there is a high chance the security problem will get worse over the long term, and you’ll be the one in the firing line.

The good soldier

I’m a massive fan of the original Star Trek, it always provides great insights into the human condition:

Kirk: How much refit time before we can take her out again?

Scotty: Eight weeks, sir. But ye don't have eight weeks, so I'll do it for ye in two.

Kirk: Mr. Scott. Have you always multiplied your repair estimates by a factor of four?

Scotty: Certainly, sir. How else can I keep my reputation as a miracle worker?

Kirk: [over the intercom] Your reputation is secure Scotty.

The Information industry is full of intelligent, hard-working and technically-minded people; great problem solvers who have an innate ability to respond to a crisis. Like Scotty, it’s not uncommon for these ‘good soldier’ ITS teams to get straight into the problem.

Unfortunately, by failing to insist first that critical questions about the business’s requirements be answered, these ITS teams will be:

• Forced to guess the true business requirements;
• Left with full responsibility;
• Crossing their fingers, hoping they have it covered; and
• Copping the blame when it fails.

Passing the buck
The reality is that responsibility must ultimately lie with both IT and the business.

How can ITS teams possibly take on a problem without first knowing what the business’s data sensitivities are or how the business intends to access and store the data, and what risks the business is willing to take?

Taking advantage of the good soldier mentality may simply be habit, ignorance, or a way to avoid responsibility, but it doesn’t serve the business’s interests if its part of the equation is missing. Subsequent solutions will be poorly matched.

Every organisation needs to take the lead and ensure that its requirements are well understood before passing the buck.

The business is from Venus and IT is from Mars
I don’t think I am generalising when I say that you are more likely to find an engineering-focused person in an IT department than a politician. The Business and IT have always struggled to find a common language and often show reluctance venturing into each other’s foreign world.

Unless we find the right language and tools for both sides to openly discuss and determine business requirements, and accurately translate them from the Business to IT, it is unlikely that any solution will be a good match.

Ensuring the Business and IT are on the same page is critical.

Dial a vendor
Most of us, I’m sure, will confess to dialling our takeaway food of choice when we can’t be bothered cooking. Yes, it’s expensive, and yes, it’s not the most nutritious option, but at least we won’t go hungry and can enjoy some slack time.

Funnily enough, this is strikingly similar to dialling a security control vendor.

When we are facing an ITS problem and it all looks too hard and inconvenient, the easy option is to call a security vendor to ‘fix it.’ Not surprisingly, you’ll pay too much and, while you won’t go hungry, your organisation’s health is unlikely to improve.

Many organisations naively trust vendors as independent experts when ultimately, the agenda of the vendor is to convince you that more security is better, regardless of your specific business requirements.

It is the explicit financial interest of all security control vendors to sell the idea that ‘more security is better’. They are unlikely to provide a balanced solution, they won’t cop any responsibility, and are sure to drain as much money from your organisation as possible.

This is just another ‘fix it’ solution in disguise, perpetuating the good soldier problem. 

So, what’s the way forward?

The first step is to recognise the security problem. You may very well be part of it.

The problem itself is not technical. It is a business problem which probably requires a technical solution. Once that is understood, you’ll be able to rephrase the answer to all of those uncomfortable questions: what value does the business place on its data, where it is stored, how do people intend to use it, what risks are they are willing to accept.

If the business acknowledges its share of responsibility, IT acts with a clear understanding of business requirements, so independent methods and supporting analysis tools are adopted, and optimal information security outcomes will be achieved.

Mike Thompson is the Director of Information Security Products and Services at Linus Information Security Solutions. 

Tags: Vulnerabilities, Opinions, Target breach, Information technology and security, critical security, business and IT

Show Comments