Patrick Lambert takes a look at a recent McAfee survey that concluded that many in upper management have a poor understanding of their organization's own security policies.
A fairly high profile study was published by McAfee this week, conducted by Gabriel Consulting Group, about security in the data centers of 147 companies. It revealed a lot of interesting data, the most widely reported being that 60% of the IT pros surveyed said their own management was in the dark when it came to understanding security concerns. Apparently, many managers believed instead that their security practices were up to date, when it wasn't the case. In fact, 40% of respondents said they believe their organization's security measures aren't enough to keep up with the current threats.
The study had other interesting numbers also. For example, a lot of organizations use security products from seven or more different sources. However, the vast majority said that reducing that amount did not seem to improve things. For those who experienced breaches in the past, nearly 70% said it came from outsiders, although inside sources often cause more damage. As for the impact of these breaches, the most direct impact was compliance and legal costs, followed by a lost of productivity. Most companies also have a centralized person or division responsible for IT security, along with policies in place, but often these policies aren't even followed.
Finally, the study also covered cloud adoption, with nearly 80% of respondents saying security is a major concern when going to the public cloud. However, most seem to prefer a private cloud, with 60% saying security would not be a major inhibitor to implement such a system. The opinion of IT workers seemed to be split as to whether they thought their organization was ready to implement private or public clouds. The full graphs are published online with the numbers collected.
Of course, one must remember that McAfee has every reason to publish such a survey -- that's the business they're in. But still, who in IT hasn't been in a situation where upper management has ruled against their best judgment because of cost or user issues? How often was a login system set to a lower setting so users wouldn't complain that they forgot their hard-to-remember passwords, or worse, write it down on pieces of paper? How many managers can say they realize all security implications of running that Drupal web site, the public facing VPN servers, or those Wi-Fi access points? There's no question that in a business, profits are rarely connected to security policies.
Centralize security policies
The study doesn't offer much in terms of real solutions, but it's not hard to apply common sense, and often it doesn't need to cost a fortune either. One thing they did touch on was centralization of security policies. This is an important first step, where all organizations should make sure everything that touches IT security must be approved by a single, competent group of people. Too often security holes are opened by dumb mistakes, like a helpdesk worker whose permissions are too broad, and he is able to open a port in your Exchange server without realizing it. Or password policies that change from one department to the next, based purely on when it was established, and then never looked at again.
Make security part of regular communication
Another important element, and one that may help solve the management problem, is communication. A new security policy should not be established based on a three-minute talk with your boss at the water cooler. One way some people have successfully kept their higher-ups informed is with well written, weekly emails detailing in clear English every security related event that occurred during the week, such as new software and hardware deployments, changes in policies, major potential issues, and a small list of recommendations that's been put together by the whole team, instead of just one person. For such a list, it can also help your case to always present two series of solutions, one from standard vendors, and the other using open source or community systems, often just as good but less expensive.
Consider the cloud
Finally, clouds can actually help security a whole lot, if done correctly. For many small or medium enterprises, using a public cloud like Amazon, Microsoft 360, or Google Apps, chances are their data centers are infinitely better secured than what you could do with your small budget. All that remains is getting that information through to management. For example, Google regularly publishes tech talks about cloud security which help cut through the hype.
Of course, there's only so much you can do. The business people need to be willing to listen, and spend money where needed. Users also need to play their parts, and avoid silly mistakes like sharing their passwords or leaving unattended, logged in workstations. But there's a lot that can be done to reduce the uncertainty about IT security, and it starts with training users and communicating the issues to upper management in a way they can understand.
Do these survey numbers seem about right to you? In your experience, do most organizational leaders have a sub-par understanding of security-related issues?