What do you believe is the greatest hurdle to effective Information Security? Traditionalists will moot such woes as underfunding, poor communication, lack of knowledge or simply not caring.
In this article I will explore what I believe to be the root cause of those "symptoms". I shall attempt to explain the fundamental reason why organisations continue to struggle with Information Security. Finally I will show how IT management and Security Specialists must reconnect for success.
To set the stage I'll ask you to carry out a mental exercise. For no more than 30 seconds, list, in your head, as many disciplines of Information Technology as you can.
Very quickly you'll cite the traditional areas such as Networks, Applications, Databases, Storage and Operating Systems. Think a bit deeper and you'll come up with Virtualisation, Cloud Computing, E-Commerce, Data Management, and Mobile Technologies.
Go further still and you'll uncover such topics as Service Assurance, Capacity Management, Disaster Recovery and Business Continuity. Then of course we have many externally mandated standards such as SOx, HIPPA and PCI DSS to name but a few. To finish off you should consider control frameworks such as COBIT and ISO 27000 series.
Information Security transcends ALL of those disciplines. Consider fields as diverse as Security Architecture, Awareness Training, Social Engineering, Physical Access Controls, Computer Forensics, Privacy law, Threats & Vulnerability Assessments, Cryptography, Policy Documentation and finally the ever enjoyable Internal and External Audits.
Security Specialists can be called upon to give detailed responses to any of these topics in relation to Confidentiality, Integrity and Availability of the aforementioned disciplines.
Now consider that often one person or a very small group within sometimes rather large organisations is expected to have the answers. With even the best will in the world it is extremely difficult to do justice to such endeavours. No other IT discipline has such a magnitude of scope.
So why is Information Security viewed as a niche?
First and foremost it is a business challenge, so why place those accountable in a technology role? When you place Information Security under the control of the technologists, their accountability is greater than their influence which equates to expensive, inefficient and often ill-conceived ad-hoc solutions. Rarely are we stronger as a result.
A paradigm shift is underway in Information Security as ever tightening externally mandated standards, greater legal pressure to disclose security breaches and litigation being brought to bear equates to a steeper and deeper downside of getting it wrong.
The simple truth is that Security Specialists, willingly or otherwise, are entering the realms of Doctors, Lawyers and Accountants.
Take the recent case in the USA of a Payment Card Industry Security Assessment company whose alleged failure to address an unencrypted data base led, in part, to one of the largest breaches in history of credit card fraud.
The financial organisation that felt this pain decided to sue for more than just a few million dollars. The days of IT specialists shrugging their shoulders as a defence are in the past.
So how do we do better? The answer is two fold.
Firstly Senior Management must fully appreciate that Information Security is a business wide problem that requires appropriate attention, not simply a product that the Security Team/Person delivers. Secondly Security Specialists must learn to translate their solutions and ideas into tangible business terms i.e. Sell!
Security Specialists should sell high frequency system patching or the requirement for a security tool in terms that CEO's understand. Traditionally Security Specialists may simply state that a patched system is a more secure system or that having central logging can help dissuade attackers. These business cases are both accurate and commendable but not holistic.
More success can be achieved by showing that a fully patched up to date system increases the robustness and agility of business services, not to mention cheaper support from vendors. Or that a security tool would allow IT managers to maintain compliance all year round negating the requirement for panic driven remediation projects resulting in better financial forecasting.
Security Specialists can be gifted at selling fear. Learn this now: Companies face larger threats than computer hackers. Customers and competition are faster and more destructive. Truth be told CEO's are more afraid of making a loss than of being hacked.
One of the reasons for this focus is CEO's can transfer or accept the perceived risk of an illegal hack but there is nowhere to hide from a business model that loses money. There are only 2 paths to more money; increased revenue and reduced costs.
Security Specialists can generate money by leveraging their position to better shape IT Services that attract more customers and or reducing the costs of running said Services.
IT managers need to embrace Information Security and work closely with Security Specialists to develop ROI. Not just a return from a security perspective but from a business perspective.
Learn to ask the right questions of the Security Experts.
For instance if a business is having difficulty billing all internal customers for systems used the solution can be provided from a whole host of open source security tools that generate a concise listing of IP enabled devices and categorises them for you against business lines. After all you can't secure what you don't know about!
We need to find more and more of these win win situations. An effective security specialist can cost you millions or save you millions and for greatest effect you must allow them to work across your business and not only the technology segment. By careful cooperation Security can deliver directly against the bottom line.
Only then should Security Specialists mention the additional benefits of upholding mandated standards and finally right at the end, as a by-product, almost in passing it can be mentioned we may have even prevented a hack from occurring! All in order of importance to the CEO.
Information Security is bigger than many CEOs and IT managers realise and Security Specialists should invite them in otherwise they will never understand just how big the Tardis is.
Parting note to Senior Management, connecting with your IT Security department doesn't mean you have to travel through a worm-hole!