First thing first: IT security leaders do an incredible number of things right when it comes to protecting the enterprise, the employees within it, and the organizational data. But we all have room for improvement, especially with our security. These are areas that upon closer reflection, don't really service the security mission -- even if some of those very things have become accepted as "best practice" approaches over time.
Likewise, there probably are some steps we haven't taken that improve security, due to time pressures, no budget, or a lack of management support.
The following scenarios are common missteps taken in an organization's security program. If you see yourself and your security organization in any of the following scenarios, now's the time for a course correction.#1 You're over-protecting the environment.
Here's a time-honored assumption in the security community: There's no such thing as too much security. Well, actually, there is. It's going a step too far, for example, to aggressively lock down internal folders so that employees can't share files conveniently. If you do, they'll find ways around the security measure that are much more risky. Security has to be appropriate to the risk at hand and balance protection policies against the need for the business to get the job done efficiently and effectively.
If you forget about that in this globally competitive environment, you may not have to worry much longer about your business' security, either - since the organization may find itself left in the dust by more nimble players.#2 You're under-protecting the environment.
There is another side to the "too much" security story, and that's when there really is too little security. The University of Nebraska, for example, recently had an incident in which Social Security Numbers, names, addresses, and other information about students who attended the school since the 80s was apparently breached. Reports indicated that the personally identifiable data may have been poorly encrypted, if at all.
Under-securing some things while over-securing others has a common root cause: The lack of a real process for assessing and managing risks. Decisions about security approaches to particular issues should be guided by a simple rule: Risk = impact x probability, offset by the cost of mitigation. Yes, it takes time to undertake such an assessment across the enterprise, but it's the only way to understand where the greatest vulnerabilities lie, and structure protection accordingly. Plus, with this approach you can start with those risks that have the highest impact or greatest likelihood, rather than trying to address everything in the enterprise.#3 Your password guidelines are out of touch with reality.
It's one of the oldest security chestnuts in the book: Almost every IT security organization mandates that users shouldn't share their passwords with anyone else. Yet, that's the very requirement that high-ranking executives are most likely to pay no mind to. They regularly pass their security details right along to their administrative assistants (aka secretaries), who very often require the information to accomplish what the boss expects of them.
If your CEO is not going to comply with password guidelines, how can you expect conformance throughout the company? More to the point, what sense does it make to even have a requirement where you can't determine compliance and that will be flouted at every level? A better solution is to allow users to share security information with known and trusted entities as needed, and with the understanding that they are accountable for their decisions and the access to their accounts. This will encourage all users to choose password partners wisely. It's a low-risk approach, and more importantly, it doesn't set a tone in the organization that it's okay to bypass IT security policies at will.#4 Your security and IT staff is "above the law."
Imagine if the members of Congress didn't need to follow the laws they themselves created. That wouldn't work for the country, and it doesn't work for the enterprise if security teams bypass the processes they've put in place to ensure the organization stays safe.
Yet, it frequently happens. Take, for example, the policy of least privilege for access to both virtual and physical resources, which most security groups apply to pretty much everyone else in the organization. But very often you hear stories about infosec personnel or systems administrators having more access than needed. The fact is that everyone in the organization should play by the same rules and be kept to the same standards of limited access. That includes having a process by which temporary access to data or systems is revoked after a staffer has addressed an unexpected issue for which he isn't normally responsible.#5 Your security procedures for safe IT troubleshooting aren't well-defined.
Reducing security controls -- turning off antivirus software or firewall rules, for example -- while troubleshooting is a common practice. But procedures to ensure that no risky behavior is engaged in while those controls are turned off (like checking email), and confirming that those controls are later turned back on, often run a little fast and loose.
That's a mistake that IT security teams need to rectify quickly, before hackers can take advantage of inattentive behavior. A fix could include, for example, having an independent validator ensure that anti-virus software that was turned off on an employee's PC actually is turned back on after tech support solves the user's problem. It's also important to make sure that security teams confirm the alerts they get about issues like inactive AV, too, and not just turn off the notification.#6 You give the business what it wants without understanding what it needs.
IT security groups sometimes are asked by the business to deploy a particular solution, without being told what the real problem is. Following those requests without probing into the heart of the matter could result in busting the budget on products that don't necessarily make the business more secure.
It's important that IT security leaders ask to have the problem clearly stated, and also have the authority to determine the best methods to handle it, whether that is a new technology deployment, or a policy or process change.#7 Forgetting deterrence as a security product.
The U.S. military is already there, getting out the message that the government will hack back if it's cyberattacked. If your IT team isn't taking deterrence seriously, it should be.
Let employees know that you reserve the right to monitor Internet activity, for instance, and they'll think twice about visiting sites they shouldn't, for fear of repercussions. Letting people know you have a strong security presence is a smart step to a more secure environment.
Fixing the slips
The issues listed above are common in many organizations, so you are not alone. You should take the time to address these and take baby steps in correcting your course for a more secure enterprise. With the end of the year on the horizon, why not assess how your security organization can do better, so that the New Year can start off right?
Ron Woerner is a noted speaker and writer in the security industry and the Director of the M.S. Cybersecurity program at Bellevue University. He has twenty years of corporate experience in Information Technology and Security, and has worked for HDR, TD Ameritrade, ConAgra Foods, Mutual of Omaha, CSG Systems, and the State of Nebraska. Ron earned his B.S. in Computer Science from Michigan State University and his M.S. in Information Resources Management from Syracuse University. He is a Certified Information Security Professional (CISSP) and Certified Ethical Hacker (CEH).