Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGuard Availability Services.
At least that appears to be the major focus of a recent security report from Cisco. I think it makes a mistake, however, by focusing on technology to address what is largely identified as a behavioral problem. I was a security auditor for a number of years and head of a security research division, and have owned security several times during my career. I learned that a vastly more successful, and much more cost-effective approach, is to address the behavior directly. However, that choice is not one a CIO can make and it, like other decisions that affect the entire enterprise, must come from the top.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
In the end, I agree with Cisco that the problem exists. Where I disagree is both in who should address it and how it should be addressed.
Defining the Problem
The report starts out by accurately describing the status quo, which is a general business world where initially employee security training consists of being told not to lose laptops or share passwords. It doesn't point out that this has been degraded a great deal from earlier times and from more secure companies like Apple where employees are a much more critical part of the security solution.
It then looks ahead at the trend to bring consumer products into businesses, which don't even have basic security, and an increased tendency, particularly by younger employees, to want to share what they are doing and seeing on social media. Added to this is the trend of increasingly allowing employees to work on anything, anyplace and you have a recipe for disaster.
The report does point out that part of this disaster recipe is the tendency for new employees to think security is someone else's problem. And there, I think, lies the mistake.
When Steve Jobs took over Apple, it actually had an ongoing and uncontrolled practice of leaking confidential information. The company was heavily targeted by news organizations wanting the latest scoop and, as a result, when new products where launched, they had already been widely discussed and often dismissed as inadequate. That was a big part of why the company was failing; it had lost control of the images that surrounded its products and while competitors rarely took advantage of this information, they easily could have. A company that has since been defined by its ability to control its image and that of its products was, back then, unable to keep the necessary secrets.
To address this problem, Steve Jobs drove a military-grade security policy into the company. Security became everyone's responsibility and breaches, even unintentional ones, resulted in termination (granted in some cases the termination was reversed when it was disclosed the employee did nothing wrong). World War II posters were placed on walls ("Loose Lips Sink Ships") and training on behaving properly both inside and outside the company was common place.
On top of this, information was regularly released inside the company that was altered so it could be connected back to the group and eventually the individual who leaked it. This allowed the punishment mechanism to function and, eventually, the Apple employee became what is arguably the most trusted (with regard to confidential information) in the technology industry.
IT Is Not Your Mama
Technology can certainly play a role both to limit the opportunity for a breach and to identify one once it is made. However, it can't successfully become a parent. In fact, particularly with young employees, there is a tendency to rebel and efforts to secure information that don't include behavior modification may have the opposite effect as that rebellion results in a breach of security. They may see it as a challenge.
Strangely, as was often the case when I was a security auditor, it was the executives who were the problem. Many seemed to think that one of their privileges was not to have to adhere to security rules and findings where confidential information was exposed because guidelines were inconvenient. For instance, in one office executives regularly brought in unauthorized women for entertainment (read between the lines) purposes. I understand their spouses were not amused. These executives were rarely punished and technology can't fix this.
Given IT does not have the authority to discipline line employees, typically the solution can't just reside in IT. And should IT take the parental role of telling employees how they should behave or in trying to remote control devices the employee thinks they own despite employee objections, the result likely will be a growing desire to outsource IT as a problem. However, if IT instead supplies tools that can help keep an employee or executive from accidentally violating a policy that could get them terminated, then IT is a partner in security and the result is likely to be far stronger.
Wrapping Up: Technology Isn't THE Solution to a Security Problem
One of my most memorable moments at IBM was during sexual harassment training. The class was told that IBM had instituted a zero-tolerance policy with regard to inappropriate behavior and, in the class, was one of the highest performing IBM sales reps. Someone of his caliber was thought to be untouchable. This sales rep proceeded to tell an off-color joke, the instructor made a call, and two large security officers came in and escorted the now ex-IBM employee off the property. Since those in the class likely knew the guy, I've often thought the event was likely staged to make a point. I wasn't even in that class, yet I can recall that even thinking of telling an off-color joke or accidentally saying something inappropriate would send chills up my spine.
My conclusion after years of doing security audits is that if the employee is an active part of the security solution, you'll have fewer problems. If they aren't, they'll always find a way around technology and much of the money you spend on security will be wasted. In short, if the solution doesn't start and end with the employee, then IT isn't in a good position to secure the enterprise and perhaps shouldn't accept the responsibility for something they won't successfully be able to do.