Why can't Information Security be implemented off-the-shelf? Why is Governance is a must have? Why is there no ‘Silver Bullet’ in Information Security?
Information Security has gained epic importance over the years. Information Systems, regulations and certification bodies have matured overwhelmingly to address information security & its cause.
Organizations all over the world have shown dedication towards Information Security, which is clearly evident with respect to:
- Increase in Information Security Spending per annum
- Hiring dedicated Information Security professionals
- Segregation of duties for Information Security Teams from routine business operations
- Global increase in the number of certified organizations year-on-year
- Increasing public and employee awareness
However, there are several forces that influence the use and development of information security related technologies, products & services.
1. Research Group Reports – The Modern CxO’s Bible.
The likes of Gartner & Forrester produce the most influential reports on trends & insights for the CxO to make an informed decision. What in fact happens in most cases is that these research reports are firmly taken as guidelines by senior management and this often misleads them.
What I have personally realized is that as far as Information Security is concerned, the mantra of “If it works for them, then it will work for us” is aptly wrong. There are dozens of initiatives that are pushed from the top which eventually run into the trash. India has witness huge multi-million dollar projects being scrapped, because the people who authorized the same didn’t know what they were talking about.
“The report says that this product is better and more secure. What are we waiting for?” – The most common pitfall any senior management can fall for. There are an increasing number of cases where products are replaced, upgraded or integrated with other products for the sake of proving a point.
You are not more secure just because you have the best, latest or the most popular products. Several management teams fail to realize that a mere product or technology is NOT good enough to secure your organization.
“Use the data, trends & comparisons of research reports as a supporting guideline and not as the Bible”.
2. The ‘Vendor’ strikes back
One must always keep in mind that every organization and geography is unique with respect to culture, people & technology. Similarly you can never have a one-size fits all approach towards in information security.
With the increasing number of technology, product and services options, the modern day information security manager is swamped with a huge number options as far as vendors for a particular technology is concerned. So which one is right for you?
Vendors often cite examples of compromised systems or security lapses to make an up-sell. These information security breaches are often magnified and overblown to accommodate the features of one particular product. And we’ve clearly come a long way since the Heartland Payment Attack.
The general tone of any information security vendor is: “This could happen to you unless you use a particular product / technology”. Very rarely have I come across a vendor who promotes his/her product in a positive manner and only talks about the products actual advantage.
Most vendors will try and score cookie points out of comparison sheets (highlighting the shortcomings) of their rival products. This is also because of natural human tendency of an Information Security to ask “What’ve you got, that they don’t?”.
Yes, vendors are an influential force today. Pushing products into the market & industry does require a unique talent, which I appreciate. However, lately information security vendors are increasingly using the fear factor and coarse tactics to pressure information security managers into deploying rather unnecessary technologies and products. Why have we never heard of a vendor pitch claiming responsibility of failure to protect a company’s infrastructure?
Since DLP & DRM is the talk of the town at the moment; I would like to take an opportunity to highlight these as an example of why off-the-shelf is not always off-the-hook; and leading to why Governance (next point) is still key to ensure success.
Most DLP/DRM vendors promote the fact that by deploying their solution you can achieve SOx, HIPAA, GLBA, etc. compliance.
Well; that’s just a fake promise & blatant lie. Also locking down and physically removing DVD-RW’s, USB & Floppy (if, at all) drives does not resolve this issue. Any DLP software is just a mere program and at most can restrict you from printing, editing, revealing data in locked areas etc.
Lets now look at what a DLP can NOT do:
- It cannot stop hard copies being physically taken out of your facility
- It cannot prevent you from using mobile camera/scanner software
- It cannot prevent a HDD or a tape from being taken away
Let us now agree that a DLP is not something you can achieve with measly software. It is a humongous initiative that requires strict controls, strong governance & continuing vigilance.
If you are still not satisfied; here is an addendum to list of things a DLP can NEVER do for you:
- Implement a clear screen / desk policy
- Implement physical security controls
- Removal of unnecessary rights from administrators & domain owners
- Impose restriction of social media
And so on… Moral of the story – Irrespective of vendor claims, there is no ‘silver bullet’.
3. Governance – Do we really need that? And who’s job is it?
Technology and products once deployed need to be integrated with a company’s DNA for maximum results. Often it is seen that products and technologies are procured and heavily under-utilized or wrongly utilized.
There are several reasons for this:
Insufficient testing & lack of Proof of Concept (PoC):
- It is vital to test not the product features; but how the product will actually address the actual business need. Most PoC’s circle around testing the product itself & never really see how this product will talk to other business components (people, process & technology).
Multi-function products are procured to address a single business requirement:
- The remainder of the functions either remain un-configured or are never utilized.
- While this remains an underrated cause of failure; it in fact tops the list. When undertaking any project, an organization typically deploys a project manager and small team behind him to initiate the project.
- However, this team does not stay as-is till the completion of the project. The core team which actually knew the business hurdle and the objective of the project dilutes over a period of time & the cause is lost in thin air.
- This is most often the cause of poor implementations, ineffective security & also causes a tremendous amount of re-work (read cost).
- While Information Security often imposes restrictions for its cause, these restrictions are often overridden by the top. This often kills the cause of the project.
- While exceptions are a good thing to have; they really should be treated like ‘exceptions’ and not routine business calls.
Lack of integration with existing workflows and service management environment:
- The new product or technology should accommodate itself into the existing service management environment; and NEVER vice versa.
- The product or technology should never change the way you work; it should always be otherwise.
- Change & impact assessment should be re-done formally despite the fact that you’ve (repeatedly) tested the product.
Roll back strategy:
- Yes! A product can fail. It can fail to meet the business, performance or technical requirement (Despite what its brochure/data sheet says).
- While most project teams always work under the assumption that if it succeeded in the test-bed or in a 30-40% sample environment, it will eventually go all the way.
- There MUST be an exit strategy in place.
Cross-posted from iManEdge