Thursday, May 17, 2007

Security is a Business Decision

After thinking about this for some time, I thought that my return to writing about security issues would of course have to follow in the ways of my previous writing - unsettling to those of us who are in IT Security. Please take a moment to re-read the title again. Once you're fairly sure you've understood it think about what the implications are. For those of you who don't quite get it yet - allow me to elaborate on exactly what it is that I'm talking about.

In the past several years, IT Security has gone through a great cycle. First we saw the birth of IT Security departments within companies as they realized the need to protect themselves from "bad guys" out there, in the bits and bytes world of cyber-space. Next came the phase which I call blissful ignorance. The business realized that they now had a "security guy" whose job it was to keep them safe -but they really distanced themselves from us - made our lives difficult. Maybe this quote will sound familiar - "I have a lot of responsibility- but no budget or power." The third major phase was reluctant acceptance. The business saw that they were being pressured from outside "bad guys" and had no other alternative but to give the IT Security guy they hired the time of day. Finally IT security had budgets, and some ability to drive change throughout the organization. After that, and most recently, came what I call business integration. Over the past few years IT Security has increasingly been given tougher and tougher problems to solve - some even outside the realm of IT knowledge! But the main theme at this phase was that the business saw IT Security as a necessary evil which it could use to beat back the ever-increasing evil presence all around. Fraud, hacking, denial of service were on the front pages of the Wall Street Journal, and panic by the heads of business resulted in an accelerated push to bring security more and more into the mainstream of IT and out of the closet. Now, I believe, we are living in yet another phase. We've accepted IT Security as a mainstream concept which all businesses need to embrace - but we're moving beyond that. We're moving into a time where IT Security must evolve past its IT-based roots. The final phase of the maturation of IT Security is business integration. The business is now understanding, albeit slowly, that IT Security is less a function of IT operations and more of a function of Business Risk. This is the key to actually getting things done, and the point of my writing.

The security of a business's digital assets is no longer a simple matter of slapping a firewall in front of the web presence, or putting anti-virus on user's computers. This is no longer good enough. Security is now learning to understand the business and how it functions, what makes it tick, and how it makes money. One of the things that I've personally taken away from the last 2 years at my current position as Security Architect is that we can no longer afford to operate in a vacuum of IT. Security can no longer build and attempt to execute policies which don't take into account the business processes and concepts which make the business what it is - a profit-based machine. After all, in order to sustain itself a business must make money.

Let's take something as simple as... passwords. Three years ago (or more) passwords were simple. Then a we learned that they were crackable we ratcheted up the complexity and frequency of change. Now we're at a point where password policies in most businesses are so complex and the change cycle is so frequent that we have totally defeated ourselves. Even I think of the password policies of 8+ characters, letter, embedded numerals and special characters which change every 30 days as ridiculous. What is the end result of this increase in complexity? It's actually quite simple if you ask any non-technical person. First, people simply try to avoid such systems. Second, these passwords are written down, pasted to a monitor or under the keyboard. Neither of these two outcomes makes the company better off.

So what is the answer? Risk analysis! As a Security analyst you have to learn the business, learn the processes, learn the people and how customers are served. Learn what drives the business. Then, take the policies you've written in the vacuums of IT Security space, and compare them against the business side of things - what happens? Often times you'll discover that you're asking the business to spend a million dollars on securing a product which will net the company a very small potential yield. In cases like this, the answer often is -"Fine, we'll just simply turn it off!" This, again, makes very little business sense. We as security professionals must evolve. We must understand that in order to pay our salaries the business must make money - and in order to do that we have to have functional systems which customers aren't afraid to use. How do we do this. How do we strike this balance?

This is the key ladies and gentlemen. This is what separates effective security professionals from everyone else. Being able to look at a system, understand the business process which drives it, and apply just the right amount of security such that the business is satisfied that it can function, and security is satisfied that it is reasonably secure is the key to success. I can't stress enough how important it is to look at both sides of the equation. Security and business must both be analyzed and understood in order to come up with just the right amount of security to [and here comes another golden key] enable the business. Security must be an enabler of the business.

So, why do I write that security is a business decision? Because it must come from the business itself. IT cannot make the business secure anymore. We can't patch people against social engineering, we can't patch business processes against logical flaws, and we can't run security in a vacuum anymore. These must all be driven from the business, with the proper consultation from security. Only then will we actually start to change the security posture of our enterprises.

No comments: