IT Security: Are You Still Paranoid If You Are Right?Rajesh Unadkat
If you have been in your IT Security role for a while, I can probably guess a few things about your environment:
- You are up on the latest “everything” that lock the physical network down; data, network app.
- You have all of the data protection tools that you can afford.
- You probably have a wish list longer than your current budget for this year and next.
- You know that you can’t stop D.U.M.B. actions if you don’t know what they are doing.
- Bad Decisions
Yes, these are not just for IT Security, but they are the bane of most of IT organizations. If you interviewed 100 users, you probably would get agreement from 98.
Look, they know that we need to protect our data. They also know that there are bad actors out there. They intuitively know that we need to follow best practices. They also know that we don’t create the policies to be a burden on them. They probably theoretically agree that the consequences can hurt the business.
But, what they don’t know can really, really hurt the business. IT security used to be like a castle with firewalls keeping everything out. You had a drawbridge, moat, and a big dragon. IT protected the castle and everyone slept well. But, as IT has evolved so has the role of security. Way too many access points into the castle these days. More like a modern city. Everything is connected, everything needs a lock and key, and you need policemen patrolling the streets. You also need a citizens watch to help notify the police in case something happens. It is no longer good enough for the police to protect us, we need the help of the citizens.
We need a framework for working together so that we can ensure our business security posture is aligned to the business needs and attuned to the business risks. So, we need to turn D.U.M.B. actions into a S.M.A.R.T IT Security™ framework:
- Security Conscious Users
- Manageable Policies & Controls
- Aggressive Training Intervention
- Responsible Incident Reporting
- Teachable Continuous Improvement
A good framework is a start, but from an IT Security organizational perspective, you need a systemic approach leveraging a platform to manage the user interaction and coordinate efforts. Here are some basic requirements that we recommend:
- Centrally manage policies across the business rather than every functional group publishing their own.
- Consolidate to a singular framework for controls that can be absorbed by the users. Don’t have lots of rules from different groups all demanding users follow the policies. Who can remember what?
- Clear regular assessment regime that users can feel comfortable, but reinforces what is important. Don’t test the minutiae or so broad as to have no bite.
- Definitive incident, severity, and escalation process that encourages users to report violations, that are really risks to the business, without feeling like they will be shot for being the messenger.
- If security policy is a check-box with lip service for your business, you already know what to do. If it is really seen as a way of protecting the business, then the model needs to reflect a continuous improvement approach that uses compliance as a learning tool for helping the business users absorb, follow, improve, and contribute.
- With the right programs and system in place, information security isn’t an afterthought, but a way to help the business ensure continuity. It also provides users with added benefits in standardizing, documenting, and collaborating around easy-to-win policy frameworks as a foundation for a business continuity program.
- It also can be the template for other parts of the business that are policy driven like:
- 3rd Party & Vendor Management (security auditing, contractual compliance)
- HR Employee Relations (employee policy handbooks)
- Quality & Safety
Good Information Security starts with the IT security team, but good business ensures that the rest of the organization is on board. If you are still managing your business user compliance via spreadsheets or informally, contact us for a conversation on how we can help you implement smarter IT security compliance.