The single most common—and most damaging—error in IT security practice is the failure to approach it from a strategic perspective.
IT security is a complex and competitive endeavor. Attempting to address individual issues without a clear and consistent sense of the larger picture is like trying to play chess without being able to see the board.
Nevertheless, businesses large and small continue to tackle problems and potential problems on an ad hoc basis, facing them one by one once they are perceived as crises. As a result, they not only end up with bad security, but spend far more than they should in the process.
So, if this is such an obvious and common mistake, why do people keep making it?
First of all, contrary to common belief, information security is not a technology problem. While it has a major technological component, it is a systemwide issue that touches on nearly every aspect of business practice and planning. As such, strategic planning requires an active collaboration between IT and management staff.
IT staff needs to educate management about the nature and degree of security risks, plan appropriate responses, and weigh the technical benefits and costs of various defensive approaches.
Management, on the other hand, needs to work with the IT staff to make informed decisions about appropriate levels of risk tolerance, review nontechnical security measures, and incorporate both technical and nontechnical measures into broader business practices.
This kind of collaboration would be exceedingly difficult even under the best of circumstances. And security issues definitely do not present the best of circumstances. While good security may prevent serious losses, it very rarely brings in money. Security risks, moreover, are notoriously difficult to predict and quantify.
As such, management staff tends to view preventive security measures as something of a luxury, particularly if they have never experienced a major security breach. Indeed, they often tend to view IT staffers who advocate for improved security as alarmist or paranoid (though, to be fair, this view is not always unjustified).
IT staffers, for their part, often fail to place security concerns in context, focusing on technology issues to the exclusion of all else.
This makes communication with nontechnical staff even more difficult and can further feed the perception that IT staff is alarmist because it advocates proposals that, while technically elegant, are burdensome or otherwise unfeasible in practice.
On the other hand, IT staffers are often reluctant to aggressively advocate enhanced security measures. It is hard enough for IT staff to meet all of the demands of modern business networks without taking on tasks that management does not consider a priority.
The most obvious consequence of a lack of strategic planning is an underestimation of security risks, and a resulting failure to allocate sufficient time or resources to addressing them. Poor security often has no obvious impact on a business until something goes seriously wrong.
Damaging security breaches often go completely unnoticed until well after the fact. In the absence of a strategic plan, it is all too easy to continually postpone addressing security issues—particularly regular assessment and maintenance—until more urgent concerns are dealt with. Unfortunately, very few businesses ever run out of urgent concerns.
These habits tend to reinforce themselves over time; the longer it has been since anyone has had to deal with security, the less likely it is to end up on a budget or at the top of anyones to-do list. Meanwhile, staff is more likely to deactivate or circumvent various security measures in the name of convenience or new functionality.
A less obvious but equally damaging consequence of an ad hoc approach is the haphazard misallocation of security resources.
When security issues do attract attention, businesses without a strategic plan typically find themselves operating in “crisis mode” and are often unable even to assess the nature or applicability of the issue (never mind responding in a sensible, effective or cost-appropriate manner).
This stance leaves businesses vulnerable not only to the various parties seeking to breach their security, but to unrealistic marketing pitches and media hype as well.
In the event of a significant breach, the best that can usually be hoped for from an unplanned crisis response is a costly investment in damage mitigation and remedial measures to “shore up” failed security.
Even when such responses are effective, they provide little or no opportunity to move beyond the immediate concern and prevent future problems. Thus staff is forced to move from one crisis to the next, allocating security resources based entirely upon the order in which problems arise.
This is a best-case scenario, assuming an effective response. In the rush of a crisis situation, it is all too easy to overlook key details and allow current and/or future adversaries to circumvent your new security measures. It is all too easy to rely on vendors more interested in selling their product than in addressing your specific needs.
Its just as easy to get caught up in media hype around a purported threat that may or may not have any bearing on your circumstances. It takes only a small error in these circumstances to end up spending large sums with no resulting improvement in real-world security.
about the security breach at MasterCard International that exposed the payment records of more than 40 million credit card holders.
In many cases, IT security insurance can prove to be an extremely effective approach to breaking the security deadlock. Like any other vendor, insurance brokers are primarily interested in selling a product, and they may or may not be able to tell you anything new about security practices.
They do, however, specialize in evaluating, managing and quantifying risk. As a result, they can be very helpful in identifying the appropriate level of risk for a given business and mapping out the most cost-effective way to achieve that level.
By placing dollar values on security threats, they also can be invaluable in educating management. Last but not least, of course, they provide compensation for damages in the event of a security failure.
Unfortunately, insurance is often not a practical option. Instead it typically falls on the IT staff to cajole management into a strategic planning process. In doing so, it is crucial to keep in mind why management tends to be reluctant to address the issue, and what biases IT staff may bring to the table.
Keep the discussion focused on the need to allocate resources appropriately and prevent “crisis mode” waste, rather than resorting to scare tactics—justified or not.
The goal of a good planning process is not to turn a network into an impenetrable fortress, but to make conscious, informed decisions. How much risk to tolerate? What kinds of costs and disruptions to tolerate? How much to spend and how to spend it.?
Enterprises will make these decisions one way or another. Taking a strategic view prevents them from being made by default, or by accident.
Contributing editor David Raikow has worked in the IT industry for 20 years as a systems administrator, Web designer and developer, Webmaster, consultant, and—most recently—a writer. David primarily covers issues related to network security. He holds a law degree from UC Berkeley and occasionally writes about legislative and litigation-related topics. He can be reached at eWEEK@think-spot.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.