Wednesday, May 23, 2007

Consulting at Small Business

Over the past several years - I've had a number consulting engagements where I swear the IT department had a $0.00 budget. I've seen equipment so ancient it would scare you to know that it's what runs at least at a significant percentage of banking institutions.

Why, then, do small businesses continue to engage consultants, such as myself? I'll offer up some insight here - and forgive me if I demonstrate my firm mastery of the obvious, but some things are so obvious we never think of them, unless someone writes them down.

Here then, are my rules for effectively engaging a small business:

  1. Understand the Client - I realize that this isn't necessarily unique to small businesses, but it makes a much bigger impact in the small company. There just isn't that much there to begin with, and in a large company if you flub something, you can typically sweep it under the rug and move on. In a small company - that tactic will get you walked out the door with a boot in your rear-end.
  2. Understand the Client's Market - Captain Obvious strikes again, right? How many times have we as consultants walked into a client, and tried to sell some technology, some process, some tool only to find out that that client doesn't care as much about being innovative as they care about keeping up with the competition? Often times, this is critical because as a small business the competition is usually big enterprises with much deeper pockets! Learn the market-space, at least on the surface and you'll be more successful.
  3. Be Prepared for the "Low Budget" Speech - The typical small business (those that are not well-funded by wealthy investors) has a very limited budget. Again, not unlike big enterprises but keep in mind that 10% of a million dollars is bigger than that same percentage of ten thousand dollars. You always have to think that you're going to be asked to do more with less. If you start off with that mindset - there will be no surprises and you'll be much better prepared to handle the client's needs. If you go in thinking you're going to put in a million-dollar security system to a company that sells widgets and barely breaks even... good luck.
  4. Know Why You're There - This isn't quite as obvious as we typically think. As a security consultant you're typically thinking... "I'm here to put some security in place, they must need something firewalled, virus cleaned, etc". And you'll typically be wrong. You as the consultant are typically there to meet some business-initiated need. This turns into a much deeper philosophical discussion but I'll make it short for reading purposes (write me if you want to talk philosophy!). Businesses are there to make money, period, and you're there to do "something" to help them to that end. I don't think I've ever met someone in a small business who has said to me "Gee, I think I have a virus infection, please come clean it for me." Instead, the need typically comes up as "My PC is slow and I can't get my work done effectively, come see what the problem is." After doing this a while most of us start to see this and just think of it as second-nature... but if you're not going into it knowing you're there to solve a business issue through some technology, you're going to have a hard time figuring the task at hand out.
  5. The Right Answer is Not Always the Right One - There are always at least two answers to every IT problem. The right(1) answer, and the right(2) answer. I'll explain here. The right(1) answer is the Cadillac, in our minds as consultants. It's the full buildout, all bells and whistles, and the armed guard. The right(2) answer, is often the used '87 Cutlass. It'll do the job, and it is cheap. Ponder that for a minute. Always be prepared to give both options to your small business client. This is actually a key differentiating point between consulting at the enterprise and consulting at a small business. Small businesses love the used '87 Cutlass, enterprises can afford the shiny, new Cadillac. What's "good enough"? How much security does your client need to protect their digital assets? Consider their size and income, and then come up with the right solution carefully.
So there you have it - 5 of the most important rules (in my humble opinion) to live by, and consult by - when dealing with the Small Business (SMB) market. If you've got some insight to share, please post a reply, or email me! I'd love to hear your thoughts.

Thursday, May 17, 2007

Security is a Business Decision

After thinking about this for some time, I thought that my return to writing about security issues would of course have to follow in the ways of my previous writing - unsettling to those of us who are in IT Security. Please take a moment to re-read the title again. Once you're fairly sure you've understood it think about what the implications are. For those of you who don't quite get it yet - allow me to elaborate on exactly what it is that I'm talking about.

In the past several years, IT Security has gone through a great cycle. First we saw the birth of IT Security departments within companies as they realized the need to protect themselves from "bad guys" out there, in the bits and bytes world of cyber-space. Next came the phase which I call blissful ignorance. The business realized that they now had a "security guy" whose job it was to keep them safe -but they really distanced themselves from us - made our lives difficult. Maybe this quote will sound familiar - "I have a lot of responsibility- but no budget or power." The third major phase was reluctant acceptance. The business saw that they were being pressured from outside "bad guys" and had no other alternative but to give the IT Security guy they hired the time of day. Finally IT security had budgets, and some ability to drive change throughout the organization. After that, and most recently, came what I call business integration. Over the past few years IT Security has increasingly been given tougher and tougher problems to solve - some even outside the realm of IT knowledge! But the main theme at this phase was that the business saw IT Security as a necessary evil which it could use to beat back the ever-increasing evil presence all around. Fraud, hacking, denial of service were on the front pages of the Wall Street Journal, and panic by the heads of business resulted in an accelerated push to bring security more and more into the mainstream of IT and out of the closet. Now, I believe, we are living in yet another phase. We've accepted IT Security as a mainstream concept which all businesses need to embrace - but we're moving beyond that. We're moving into a time where IT Security must evolve past its IT-based roots. The final phase of the maturation of IT Security is business integration. The business is now understanding, albeit slowly, that IT Security is less a function of IT operations and more of a function of Business Risk. This is the key to actually getting things done, and the point of my writing.

The security of a business's digital assets is no longer a simple matter of slapping a firewall in front of the web presence, or putting anti-virus on user's computers. This is no longer good enough. Security is now learning to understand the business and how it functions, what makes it tick, and how it makes money. One of the things that I've personally taken away from the last 2 years at my current position as Security Architect is that we can no longer afford to operate in a vacuum of IT. Security can no longer build and attempt to execute policies which don't take into account the business processes and concepts which make the business what it is - a profit-based machine. After all, in order to sustain itself a business must make money.

Let's take something as simple as... passwords. Three years ago (or more) passwords were simple. Then a we learned that they were crackable we ratcheted up the complexity and frequency of change. Now we're at a point where password policies in most businesses are so complex and the change cycle is so frequent that we have totally defeated ourselves. Even I think of the password policies of 8+ characters, letter, embedded numerals and special characters which change every 30 days as ridiculous. What is the end result of this increase in complexity? It's actually quite simple if you ask any non-technical person. First, people simply try to avoid such systems. Second, these passwords are written down, pasted to a monitor or under the keyboard. Neither of these two outcomes makes the company better off.

So what is the answer? Risk analysis! As a Security analyst you have to learn the business, learn the processes, learn the people and how customers are served. Learn what drives the business. Then, take the policies you've written in the vacuums of IT Security space, and compare them against the business side of things - what happens? Often times you'll discover that you're asking the business to spend a million dollars on securing a product which will net the company a very small potential yield. In cases like this, the answer often is -"Fine, we'll just simply turn it off!" This, again, makes very little business sense. We as security professionals must evolve. We must understand that in order to pay our salaries the business must make money - and in order to do that we have to have functional systems which customers aren't afraid to use. How do we do this. How do we strike this balance?

This is the key ladies and gentlemen. This is what separates effective security professionals from everyone else. Being able to look at a system, understand the business process which drives it, and apply just the right amount of security such that the business is satisfied that it can function, and security is satisfied that it is reasonably secure is the key to success. I can't stress enough how important it is to look at both sides of the equation. Security and business must both be analyzed and understood in order to come up with just the right amount of security to [and here comes another golden key] enable the business. Security must be an enabler of the business.

So, why do I write that security is a business decision? Because it must come from the business itself. IT cannot make the business secure anymore. We can't patch people against social engineering, we can't patch business processes against logical flaws, and we can't run security in a vacuum anymore. These must all be driven from the business, with the proper consultation from security. Only then will we actually start to change the security posture of our enterprises.