CHICAGO -- How often have you heard that enterprise security is only as strong as its weakest link?
And, how often have you heard that people are the weakest link in security?
Giga Information Group vice president and research leader Steve Hunt espoused the theory last week at Security Decisions that security in the enterprise is a people and process problem, with technology trailing in third on the list of priorities for security officers.
"Effective people and processes equal good security," Hunt said.
Hunt wants to see enterprise IT catch its breath and equate security with its business model. The rush to add applications and connectivity that only served to stress IT architectures has abated in the down economy. It's time to evaluate how much risk an enterprise is willing to absorb, and adjust spending and priorities accordingly, Hunt said.
"Prioritize your budgets," Hunt said. "Build your staff, then the processes to support them, then the technology. You can succeed with 10-year-old technology if the people and processes are topnotch."
The expected post-September 11 security spending boom has been a bust. CEOs promised more spending, but the only thing that has been elevated is awareness.
"People might be more aware, but we've still got a pretty bad people problem," said Ryan Mire, network administrator for the Lafayette Consolidated Government, a government agency for the city of Lafayette, La. "Lack of training is a problem. We're currently migrating a from a mainframe environment, so a lot of our users have used nothing but a terminal. Some of them don't know how to use a mouse, much less are well versed in security."
Awareness is the first step toward solid people and processes, Hunt said. A solid starting point for most big business is the appointment of a chief security officer (CSO), a coordinator of security efforts in the enterprise that is on a par with other senior management and reports to the CEO. That's a top-level view of the job description, Hunt said. Drilling down is much more difficult and Hunt expects CSOs to have a difficult future, especially if enterprises don't appoint them as frontline executives in the corporate structure.
Regardless, CSOs could serve as coordinators of security administration, policy development and technical support.
The security process, meanwhile, measures the effectiveness and efficiency of security in an enterprise. "Identify the current and desired state of enterprise security and the gap between them," Hunt said. "Measure the time it takes to create a policy or push it to users. Also, measure the time is takes to deploy and test technology and the time it takes to respond to incidents."
"That mindset (of putting people and processes ahead of technology) has to come," said Phil Pagir, a service engineer with Boeing Corp. "Enterprises are still in 'implement now, and worry about it later' mode. They don't want to take time to go through the necessary processes."
Fundamentally, IT and security are at odds, Hunt said.
"IT security staffs are doomed from the start," Hunt said. "It's all about uptime, performance and throughput for network administrators. For security staffs, it's all about stop, stop, stop. IT security is handcuffed because they have the directive of throughput, first and data protection second. Availability is mandated by business."
Key to the process portion of Hunt's argument is the exercise of mapping technology to business needs and measuring its effectiveness. Identify and prioritize the value of a transaction against the cost of deployment, ease of use and confidence in user authentication, he said.
Hunt suggests establishing a metric based on the gap between the current and desired states of IT security, using event-based history that can be used to verify the gap, identify the implications of ignoring or mitigating the risk, and aggregate best practices from other sources that have mitigated similar gaps effectively.