The single most common—and most damaging—error in IT security practice is the failure to approach it from a strategic perspective.
IT security is a complex and competitive endeavor. Attempting to address individual issues without a clear and consistent sense of the larger picture is like trying to play chess without being able to see the board or any of the pieces.
Nevertheless, businesses, large and small, continue to tackle problems and potential problems on an ad hoc basis, facing them one by one once they are perceived as crises. As a result, they not only end up with bad security, but spend far more than they should in the process.
If this is such an obvious and common mistake, why do people keep making it?
First of all, contrary to common belief, information security is not a technology problem. While it has a major technological component, it is actually system-wide issue that touches on nearly every aspect of business practice and planning.
As such, strategic planning requires an active collaboration between IT and management staff. IT staff need to educate management about the nature and degree of security risks, appropriate responses, and the technical benefits and costs of various defensive approaches.
Management, on the other hand, needs to work with the IT staff to make informed decisions about appropriate levels of risk tolerance. It also needs to review non-technical security measures, and incorporate both technical and non-technical measures into broader business practices.
This kind of collaboration would be exceedingly difficult under of the best of circumstances, and security issues definitely do not present the best of circumstances. While good security may prevent serious losses, it very rarely brings in money.
Security risks, moreover, are notoriously difficult to predict and quantify. As such, management staff tends to view preventative security measures as something of a luxury, particularly if they have never experienced a major security breach. Indeed, they often tend to view IT staff who advocate for improved security as alarmist or paranoid (though, to be fair, this view is not always unjustified).
IT staffers, for their part, often fail to place security concerns in context, focusing on technology issues to the exclusion of all else.
This makes communication with non-technical staff even more difficult and can further feed the perception of IT staff as alarmist by encouraging proposals that, while technically elegant, are overly burdensome or otherwise unfeasible in practice.
On the other hand, IT staffers are often reluctant to aggressively advocate for security measures. It is difficult enough, after all, to meet all of maintaining a modern business network without taking on tasks that management does not consider a priority.
The most obvious consequence of a lack of strategic planning is an underestimation of security risks, and a resulting failure to allocate sufficient time or resources to addressing them. Poor security often has no obvious impact on a business until something goes seriously wrong; indeed, major, damaging security breaches often go completely unnoticed until well after the fact.
In the absence of a strategic plan, it is all too easy to continually postpone addressing security issues—particularly regular assessment and maintenance—until more urgent concerns are dealt with. Unfortunately, very few businesses ever run out of urgent concerns.
These habits tend to reinforce themselves over time; the longer it has been since anyone has had to deal with security, the less likely it is to end up on a budget or at the top of anyones to-do list. Meanwhile, the staff is more likely to deactivate or circumvent various security measures in the name of convenience or new functionality.
A less obvious but equally damaging consequence of an ad hoc approach is the haphazard misallocation of security resources. When security issues do attract attention, businesses without a strategic plan typically find themselves operating in “crisis mode,” and are often unable even to assess the nature or applicability of the issue (never mind responding in a sensible, effective, or cost-appropriate manner.)
This stance leaves businesses vulnerable not only to the various parties seeking to breach their security but to unrealistic marketing pitches and media hype as well.
In the event of a significant breach, the best that can usually be hoped for from an unplanned crisis response is a costly investment in damage mitigation and remedial measures to “shore up” failed security.
Even when such responses are effective, they provide little or no opportunity to move beyond the immediate concern and prevent future problems. As such, staff is forced to move from one crisis to the next, allocating security resources based entirely upon the order in which problems arise.
This is a best case scenario, assuming an effective response. In the rush of a crisis situation, it is all too easy to overlook key details and allow current and/or future adversaries to circumvent your new security measures. It is all too easy to rely on vendors more interested in selling their product than in addressing your specific needs.
It is just as easy to get caught up in media hype around a purported threat that may or may not have any bearing on your circumstances. It takes only a small error in these circumstances to end up spending large sums with no resulting improvement in real-world security.
In many cases, IT security insurance can prove to be an extremely effective approach to breaking the security deadlock. Like any other vendor, insurance brokers are primarily interested in selling a product and may or may not be able to tell you anything new about security practices.
They do, however, specialize in evaluating, managing, and quantifying risk; as such they can be incredibly helpful in identifying the appropriate level of risk for a given business, and mapping out the most cost-effective way to achieve that level. By placing dollar values on security threats, they can also be invaluable in educating management. Last but not least, of course, they provide compensation for damages in the event of a security failure.
Unfortunately, insurance is often not a practical option. In this case, it typically falls on the IT staff to cajole management into a strategic planning process. In doing so, it is crucial to keep in mind why management staff tends to be reluctant to address the issue and what biases IT staff may bring to the table. Keep discussion focused on the need to allocate resources appropriately and prevent “crisis mode” waste, rather than resorting to scare tactics (justified or not).
The goal of a good planning process is not to turn a network into an impenetrable fortress but to make conscious, informed decisions: how much risk to tolerate, what kinds of costs and disruptions to tolerate, how much to spend and how to spend it.
These decisions will be made one way or another. Taking a strategic view prevents them from being made by default, or by accident.