Defusing the security bomb

Mike Thompson

Mike Thompson is the Director of Information Security Products and Services at Linus Information Security Solutions. Mike’s expertise lies in bringing IT and the Business together to improve Information Security outcomes. He has over 25 years of experience across numerous government, commercial and not-for-profit organisations, and is recognised as an ISM expert with the rare ability to articulate complex issues and concepts in plain language and business contexts. Among his many projects he has uncovered computer fraud, ethically hacked a number of organisations, worked as an official adviser to the Victorian Privacy Commissioner and the Victorian Law Reform Commission and designed and developed award-winning software solutions.

Part 2 – The IT perspective

In Part 1, I took a business perspective of the challenges involved in trying to achieve a balanced security approach and the pitfalls of poor alignment between IT and the business. From an IT perspective, the drivers may vary, but similar pitfalls exist.

IT certainly understands the need for solutions that are a good fit for the business, but struggles to deliver. I know from personal experience and from talking with numerous CIOs and CTOs that they are battling daily threats with limited budgets. They live in constant fear that they may not have covered all vulnerabilities. Stepping back and analysing needs may seem like a luxury when IT is constantly having to deal with red alerts.

The underlying drivers of the problem for IT can be broken down into four areas:

1. IT is adopting a ‘siege’ mentality − a reactive stance to the threats that are growing in volume and sophistication. 2. IT falls for the same trap as the business, labelling security as primarily a technology issue. 3. IT does not have a detailed understanding of the security sensitivity of business information. Instead, at best, IT relies on high-level operational priorities to focus its security efforts. 4. Asking the business for guidance can seem too big or difficult a task, or is perceived as outside IT’s responsibility.

These issues are making it more difficult for organisations struggling with ever-increasing security demands and tighter budgets to achieve optimal outcomes.

Batten down the hatches

Some time ago I was contracted to coach and mentor a person in a newly created security manager role. Each week I would run through some structured learning combined with managing hands-on, real world problems in the organisation. The combined theory and practice approach was working well, but we ran into an unexpected hurdle.

After a few weeks, I was asked if I could help with some pressing security issues. The focus shifted to solving these issues and structured training became a secondary priority. Sure enough, as the weeks progressed, more and more pressing technical security issues emerged which drew focus away from training. The person I was coaching was keen and capable, but clearly felt that he was being measured by how quickly and effectively he resolved the emerging security threats. As he became more and more absorbed in issues, he lost focus on the basic principles of security and stopped the training altogether.

The most frustrating aspect to me was that he didn’t realise that he was simply putting out spot fires without understanding which blazes were most relevant to the organisation. It reminded me of the old saying − when the woodcutter’s axe was becoming blunt, he couldn’t stop to sharpen it as he had too many trees to cut down.

In this case, the trainee fell into the all too familiar and reactive ‘siege’ mentality. He was very busy, he felt important and he believed he was adding value. His manager knew no better. Unfortunately the reality was he wasn’t spending his efforts in the right places and the value he was adding was well below what it could have been.

It’s a technology issue

Just like the business, IT often believes that information security is primarily a technology issue and is quite comfortable placing it under the IT banner. Apart from any political advantage, why does IT management think this makes sense?

The key reason is that IT already implements, configures and manages a number of key controls. The critical mistake is not understanding that it is the business, not IT, who should decide where controls need to be applied and at what strength.

This problem is compounded when you look at separation of duties. If a core system has a major security issue, the help desk may prioritise keeping the system going rather than taking it offline to fix the security issue.

Many information security controls need to be configured and managed by IT, but security prioritisation should always be an independent business decision.

Operational perspective

Ensuring critical systems keep running is a key objective of IT, so it is no wonder that security priorities tend to be defined along similar lines. If you ask IT operations staff where information security should be focused, they will typically pick the core applications that are heavily used on a daily basis or information they perceive is valuable, such as payroll data.

Unfortunately, these measures are generally inconsistent with the priorities of the business. For example, most organisations will rate payroll data very low from a security sensitivity perspective, simply because the impact of disclosure or corruption is unlikely to be devastating.

Another operationally expedient way to deal with complex security problems is to adopt a baseline approach to controls. Having a set of pre-defined controls provides reasonable security when applied to most applications. By mandating these controls, security decisions can be streamlined and operational overheads can be minimised. If you are under enormous pressure to make complex security decisions on multiple projects, using a baseline seems like a sensible approach.

So why is this a problem? A baseline approach encourages the assumption that just implementing the baseline will ensure you are covered. Just ask the ex-CIO and ex-CEO of Target in the US if following the PCI baseline worked for them!

It’s OK to establish a baseline as the fall-back position, but you run the risk of under-protecting key assets and, in some cases, over-protecting lesser assets. Always remember - there is no such thing as a ‘one size fits all’ approach for security.

Clearly IT is not in the best position to assess security priorities and will typically drive outcomes based on their operational needs rather than the business’s security needs.

Do I really have to talk to the business?

I do not want to generalise, but it is probably fair to say that IT attracts personalities that love technology and sometimes find it difficult to talk to the business.

Given that the business is the only source of data sensitivity information, IT security decisions are going to suffer enormously without the ability to gather this data. Unfortunately, if the business does not recognise the need to gather this information themselves and take the initiative, IT is unlikely to take the lead.

Part of the problem is that the necessary methods and tools to gather this information are not widely understood. Gathering all the required information can appear an insurmountable task if you have not done it before. This is often the reason why IT falls back to its baseline comfort zone and critical security questions are never asked until conflicts occur over new projects.

There are analysis methods and tools available to make this a simple process. Even though determining data sensitivity is formally a business responsibility, both IT and the business need to make sure that someone takes the initiative to get the ball rolling.

In summary

From an IT perspective, information security can seem like a battle fought with limited resources against a growing enemy, with IT taking full responsibility for any losses. In reality, half the responsibility lies with the business. IT needs to recognise this and ensure the business is engaged. Recognising that there are two parts to the problem, being proactive rather than reactive and adopting a process and language that supports both sides can ensure optimal security solutions.

This article was brought to you by Enex TestLab, content directors for CSO Australia.

Tags: information security, risk, management, IT Security, threat prevention

Show Comments