20 Jul Info Security: Taking a page from the 1950s
What would the world be like without a cold war and arms race? For IT at least, we’re still waiting to find out. Info security is the new battleground with a steady escalation of words and armor. The latest secret weapon? Those cuddly, camp little iPods everyone is carrying around in their pockets. With gigabytes of storage and easy computer connections, the iPod all too easily blows a hole below the waterline of many a security strategy. A security manager could be forgiven for taking a page out of the 1950s civil defense book and crawling under his or her desk.
It’s not news to any IT security professional that the most common threats to security come from inside the organization. As one security wag put it, security at most companies is like a good piece of candy, a hard shell with a soft and chewy inside. Which begs the question of what are we doing inside the firewalls, above and beyond the operating systems, past the authorizations? What are we doing with the most universally vulnerable interface in our systems, the human being?
If it’s not their iPod, it’s their blog. If it’s not their blog, it’s their ever-popular passwords on sticky notes. If it’s not that, it’s something else. Maybe all this is just a variant on my second law of software that says users will invent uses for our software that we never imagined. You can count on it, that when users get inventive, they probably don’t have security at the top of their list of concerns.
Dale Ott is probably the best IT security manager I know, and when we worked together he spent as much time on simple things like awareness as he did on the technologies of security. Oh sure, he did all the firewall, ACL, and authorization voodoo dances that good security folks do. But that wasn’t all he did. He was there during building design asking good questions about just how secure the sexy new wireless network in the downtown building was. He gently reminded all those whiz-bang ERP developers and administrators about separation of controls. He stood up in every new employee orientation and talked about information security. And when the executive suites began to rumble from the beat of the Sarbanes-Oxley drums, he was there as well.
The point is that good security is as much about the people as is it about the technology, especially if you want to focus on the most common source of threats, which is from inside your own organization. I’m not trying to light a fire under security folks. They already know this. What I am trying to do is soften up the folks they talk to, both for cooperation and for money.
The next time a security budget comes across your desk, don’t automatically reach for the red pencil when you get to the training and awareness lines. Yes, it’s expensive to have every employee go through an hour of security training, but probably less expensive than a protracted battle with the auditors or, worse yet, covering the costs of fraud when you manage to turn over your customer data to the bad guys.
The next time you’re hot on the trail of some slick new application design and a security guy starts asking questions about how folks might misuse it, don’t just roll you eyes. The next time you an hour of information security training is scheduled, don’t expend your most creative energies on making excuses to be elsewhere.
More and more all our organizations are about information, and the success of our organizations is directly related to the quality and reliability of our information. The most secure systems, the best input edit programs, the toughest security policies, don’t do much good if our people don’t know or care enough to use them appropriately. We’ll leave it to the psychologists to debate the lasting impact of the old “duck and cover” response for civil defense, but one thing it did was raise awareness. What’s your security “duck and cover?”
The opinions expressed herein or statements made in the above column are solely those of the author, & do not necessarily reflect the views of Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.