Article about security as a business problem at Computerworld
on December 3rd, 2007 at 10:55 pmThere is a pretty good article by Frank Hayes over at Computerworld about security being a business problem. Others have been preaching this for a while. I have preached this time and time again over the last year or so on my blog and before that in my recommendations to my bosses, so I am not surprised it comes out again.
Frank was inspired to write his own version by the latest SANS top 20 that says security is a people problem. But Frank REALLY does not like the recommendation of testing your users and cutting off their Internet access if they fail. I don’t like that suggestion either. Seems very harsh. Of course, he is also right that it will do nothing to help and everything to hurt the relationship between users and security.
Then Frank said this:
And that animosity won’t stop with the security group. The IT people who take the brunt of it will be those on the help desk and development teams and anyone else who deals directly with users.
And? Isn’t that what the help desk is for?? 
Vet
There’s a different outcome to that as well. Sure, the animosity could extend to the rest of IT, but I think more generally, IT will show animosity to security as well. Help Desk (the rest of IT) tend to be measured on their customer service. If security measures get in the way of them serving their customers (or they perceive it is in the way), they will side with the customers (internal users) and even circumvent the restrictions. “Don’t ask the users for their password! You should not know their password!” Turns into whispers near lunch, “Hey, while you’re at lunch if the system locks, can you write down your password here so I can open it back up and keep working?” Sure, one can change the password and still make sure only one person knows it at any given time, or force the user to change it, tell you the new one, then force them to change it after work is done…but still this is often seen as impeding extra work. :\
Such situations will slowly single security out as a separate hated entity that just keeps getting in the way…
Yes, SANS put users on the Top 20, but the business needs to be in there as well. It is almost always a business decision or copout that keeps security measures from being implemented properly or at all. If the business really wanted security, they’d get much more of it. “Hey, IT, what can we do to be more secure?” InfoSec: “Not run as admin.” Exec: “Will that impact me?” InfoSec: “Yes, you won’t be able to install good or bad things without IT assistance.” Exec: “Oh…we’ll come back to that some other day…”
Business wants the security, but they don’t want to spend money or be restricted. And if they decide to pony up some money, then balk at that restricted part. Gah!
The comment on that article hits the nail on the head. The business understands risk, techies understand other techies. Technology represents probably around 20% of any security solution. The rest is around users and procedures. Dull but true. Frame the conversation in terms of risk to the business and the decision makers might start to listen.