"Users are not the enemy”, wrote Angela Sasse, head of the information security group at University College London, in the first of many papers explaining the burden that poorly implemented security places on ordinary staff. Back in 1999, she was trying – and still is now, 14 years later – to explain to security practitioners that security works best when it does not obstruct the productive work that most employees are there to do and to help them bridge the gap.
Because security is a mindset as well as a profession, it's easy for security personnel to identify more closely with each other than with the rest of the organization they work in. The result in the past has been a distinctly adversarial relationship, particularly in companies that regard security as an afterthought – the first thing to be cut when times are hard.
“I feel being the ‘no people’ is still the attitude some may have in the security world”, says Ron Hailes, chief knowledge officer and acting CEO at ISACA. “But it's not the relationship or perspective that people in successful organizations or security programs have. We have to be the solution people.” If you are simply a negative force, rather than someone who can focus on requirements, stakeholder needs, external providers, and how they all relate to the business and its strategy, then “you will just be irrelevant, and you won't be invited to the dance or to help the organization prosper”, Hailes adds.
For exactly this sort of reason, Ramsés Gallego, a security strategist and evangelist who joined Dell Software when it acquired Quest, recommends some cheap, simple strategies for transitioning out of being “the geek in the basement”. First, he recommends, “ask the right questions of the right people at the right time.”
For Gallego, that might mean having morning coffee with the sales manager and listening to complaints you might be able to help fix – slow invoicing systems, billing mistakes, or anything that's a business problem underpinned by IT systems. It might mean asking, whenever someone from a different department requests something, for details like when and why it's needed, and how the business will benefit. “Just the act of proposing metrics, measures, or projects leads to greater understanding of the issues”, he observes.
In addition, Gallego says, embrace change. “That geek should want a transformation as well – to become [armed with] business-oriented, process-driven, results-oriented tools, processes, and technologies”. Attend the kinds of conferences and training programs that help bridge business and IT and apply the things you learn, he stresses. “If it doesn't have a business meaning, it's useless.”
ISACA’s Peter Wood, also the CEO of UK-based consultancy First Base Technologies, has plenty of experience with the frustration of advising companies where security is simply not on the management agenda, such as companies with $5/£3 billion in annual turnover whose security department consists of just two people. In one case, his company conducted a wide-ranging annual due-diligence security test, including all aspects – buildings, people, and technology – for a large retailer that employs some 65,000 people. His testers were tasked with gaining access to the buildings as if they were members of staff and do whatever they like: access the network, crack passwords, read high-level documents, and so on.
In one case, “two of ours guys did this through two phone calls, got passes saying they were members of staff. They were successful, entered the building, and stayed a week, during which they downloaded and cracked 6,000 different passwords, accessed any documents of interest to anyone – business plans, staff salaries, private personal data belonging to employees, manufacturing systems – and were never once challenged or detected.” His company wrote the report, presented it, and the customer was duly horrified.
“But because I don't think they'd ever had a real event, if it weren't for that particular security person to invite us to do that, it would never have gotten board attention at all”, Wood contends. “Their security processes were non-existent, their vetting processes none, their internal processes just horrendous. And that's not unusual.”
A New Attitude
Wood has long espoused the idea of risk-based security and says that, in his experience, security people are beginning to understand the need to operate differently than they have in the past.
“Every conference I've been to for information security professionals in the last two years has had on the agenda, or in networking discussions, the issue of getting what the security people think is so important communicated to the top level of the organization and business managers in other departments”, Wood recounts. Granted, these efforts still often fail: “Looking at it a bit dispassionately as a self-professed geek, the majority of security practitioners you speak to are also security geeks, and they just aren't necessarily finding a language that the senior executives find engaging or interesting.” Wood believes the key is not getting mired in scare stories and reams of technical detail, but giving people realistic risk-based scenarios that are relevant to the actual business at hand.
|"I feel being the ‘no people’ is still the attitude some may have in the security world…We have to be the solution people" |
|Ron Hailes, ISACA|
For example, he says, instead of starting with a dry checklist, start with presenting real threats for that particular business: who is going to attack, what their motivation and skill set are, what methods they might use. Then – even if only on paper – do an exercise replicating a real criminal attack that shows where the organization is vulnerable and what controls are in place at each step.
As Wood outlines: “I would engage anybody who has an investment in the firm – managers, CEO, and so on – and explain that you’ve constructed this story, and need 20 minutes of their time to describe it. Describe how you believe competitors will steal information, and communicate strengths and weaknesses. Then you can communicate with someone who has an interest in the business and understand that this is a real-world picture of something that could happen and how.” Focus, in other words, on credible threats and credible objectives.
Like Gallego, Wood believes it's essential to build relationships with fellow employees from other departments. His advice is to listen to what they say about what they believe the issues are, and then, “use this as an opportunity to discuss why those controls are in place, because people never get told.”
Years ago, some companies built exactly this sort of thing into their standard introductory training. When he joined Marks & Spencer earlier in his 30-year career, ISACA director Allan Boardman says the rule was that everyone spent a week working in one of its retail stores. Formerly also with Deloitte, JPMorgan Chase, Goldman Sachs, KPMG, PricewaterhouseCoopers, and the London Stock Exchange, Boardman recalls the philosophy was that the experience taught everyone the daily realities of the company's core business: the 4 am deliveries, retail management, and customer relationships. The practice continued throughout his time there: “We used to do a lot of it, sitting alongside someone in the business to understand what they're doing.”
Similarly, Ron Hailes cites a colleague in financial services who sits down with staff every year and reviews the company's annual report with them. “Some had no idea what it contained, what the organization's strategy was, or where it was getting revenues. They weren't things a typical security organization worried about, but it forced their perspective onto more than configuring firewalls.”
Hailes himself started his career in law enforcement, and moved into computer security in the 1980s, because he thought it looked like an interesting new field. The upshot is that his mix of experience and degrees is more diverse than most: he went on to get academic qualifications in computer science, as well as an MSc in criminology and a PhD in administration and public policy. He chose the latter when he noticed that although security is a very technical subject, he was increasingly hearing about policy that was being driven by governments. Even in that degree program, a lot of his courses were in the business school, and he wrote his dissertation on the banking regulation Basel II.
|"Security has to enable…It's about enabling the business" |
|Ramsés Gallego, Dell Software|
The ISACA CEO notes that sometimes you have to tailor not only the message itself, but the method of delivering it to suit particular audiences. He believes, for example, that we are on the verge of cultural change, as today's incoming cohort of young engineers has a different concept of information and information sharing.
“They wouldn't listen to a manager I recently talked to. Then he hired some really young people as part of the security program and indoctrinated them into the role of security to support the business and provide guidance to the development teams – and a young person could deliver a much more acceptable message than somebody who seemed to be outside their area.”
“Security has to enable. Why aren't we using 'allows', 'enables', 'facilitates'?”, asks Ramsés Gallego. “It's about enabling the business – whether it's security or infrastructure development or architecture, it has to enable the branch opening in Spain or the expansion into Asia. IT, and consequently its security, can no longer be thought of - or handled - in isolation.