Stringent access controls, big iron equipment and common sense. What do these three things have in common when it comes to protecting your information assets? Absolutely nothing. The "lock it all down" mentality present in a lot of organizations has created one of the biggest issues working against information security – that is, information security infrastructures being modeled after Fort Knox with not a single thought given to how it will affect end user productivity and hamper overall business processes.
Implementing information security effectively is certainly an art and not a science. There's more to security than just battening down the hatches. I think that there are two modes of information security operation in most organizations today: It's all or nothing, with some obvious exceptions when it comes to securing information. Unfortunately, they're equally bad. There's got to be a balance. A little common sense and higher level thinking can help the average information security professional implement just enough security so that users can do their jobs and the executive management can rest assured that their corporate assets are reasonably secured.
How much is too much? Some well-known system hardening best practices I've seen in the past give warnings like "applying these settings may cripple your systems." Sounds like a little much to me. Microsoft has even made some statements related to their Trustworthy Computing initiative that they will secure their software even if it means that it breaks some of your applications. Isn't that overkill? If security was built-in from the beginning, these inconvenience factors would probably not exist, but I'll hold off on the "security from the beginning" subject for a later discussion.
There definitely needs to be a number of technologies in place along with a certain amount of system hardening to successfully secure information, but what's with some of the so-called security mandates that usually cause more problems than they fix? When's the last time anyone (including yourself) could remember seemingly dozens of complex 7-plus character passwords that must be changed every 30 days? How about when e-mail attachments are required to be compressed -- or even worse, when no attachments are allowed at all -- before e-mails are permitted through the fancy content-filtering application that was just implemented? Or, the latest craze: the banning of all wireless network connectivity and instant messaging due to some security flaws? What does any of this buy? How will any of these help security in the long run? They won't. It's a well known fact that if something is inconvenient, human beings will find a way around it or just stop doing it altogether.
Put a paranoid techie with no business knowledge in charge of security, and the likely result will be a complete lock down of everything. However, a successful information security manager will manage security from a business perspective. This includes focusing on what it really takes to protect information – reasonable policies, user awareness and proven risk management techniques.
When you understand your users' needs, internal politics and business dynamics, your security efforts will go much further than any amount of technical knowledge ever could. It will not only help your career, but information security in general. Grasping how people interact and how business processes work within an organization will put any information security manager in a much better position to know what new information security initiatives will work and which ones aren't worth the effort. I'm not advocating that you should just give up control of all systems to keep everyone happy. That's impossible and unwise. Everyone does, however, need to know that without a certain amount of security their jobs could even be in jeopardy.
The protective measures required for your information are ever changing. Obviously, if your systems are to be secure, changes will have to be made now and in the future. Simply knowing that people don't like change, or at least change that comes on too quickly or strongly, will go a long way. Take it slow. Introduce your users to new security changes and explain to them how it will benefit, rather than inconvenience, them and the company. Demonstrate how reasonable security measures implemented in advance enables your organization to spend less time, money and effort preventing security incidents than cleaning up after incidents occur.
Focus on security from a practical perspective rather than a theoretical perspective. Look at what really matters – like putting more effort toward securing data at rest rather than securing data in transit. Look at requiring strong passwords that are easy to remember but only need to be changed once or twice a year – if that. Look at educating users on what their computer responsibilities are and what to look out for. Concentrate more effort on understanding your organization's mission and what really needs to be accomplished rather than on what sounds good based on some marketing materials. If you work to find the right balance, you'll know in good conscience that you're not supporting a battle, but rather a successful marriage between security and convenience for everyone's benefit.
About the author
Kevin Beaver, CISSP, is president of the Atlanta-based information security consulting firm Principle Logic, LLC. He frequently speaks on information security and HIPAA security readiness and serves as Secretary of InfraGard Atlanta. As an expert on SearchSecurity.com, Kevin answers your questions on security policy and HIPAA.
For more information on this topic, visit these resources:
- Executive Security Briefing: Stop reinventing the security wheel
- News & Analysis: Addressing security's people problem
- Best Web Links: Security management