Security's Everyman

Security's Everyman

Tuesday, October 31, 2006

Rethinking Security

Things at work are getting very hectic. Some major changes have caused us to stop and shift direction in many areas and rethink where we are going, how we are getting there and what we will do once we are there.  To make things worse management has moved a deadline up by about 5 weeks while increasing the amount of work required to reach the deadline. This isn't a "soft" deadline either. It's meet it or hit the road. If for some reason this deadline isn't met we would not be able to conduct business until ALL of the items on the list are complete.

In the process of this we are having to rethink how we do security. How it impacts us in day to day business, how threats and vulnerabilities will be dealt with and how we will respond if a breach occurs. In some ways things will be easier in the long run simply because we will not be as heavily regulated as we would be before the changes were announced. The down side of that is that the lack of regulation has already put some members of management into the mindset that security won't be as important as it should be.

My overall goal in all of this is to meet the deadline obviously, but also to impact how security is viewed by the organization as a whole. The right people have to be "shown the light" in regards to seeing that security will have a big impact on how we do business whether or not we are required to monitor, log, or report specific items.

Most people view security still as being simplistic things such as keeping AV up to date and installing a firewall. They don't see the importance of multiple layers of security and how event A can point you to event B which shows a weakness or a breach. Not only that users still don't see how seemingly simple things such as running Skype on their systems can be a problem or how putting their PDA on the wireless is dangerous. They want to be able to go where they want to go on the Internet, hook up to any wireless that will let them, install any program that they deem necessary or fun and still have unfettered access to company resources.

Security has to be rethought from not only those of us who implement it but from those who recommend it and the end user. The digital world is a dangerous place and we have all got to be prepared for it. Part of that means that as Security Professionals we have to come out from behind our firewalls and work with management and end users to make them understand the whys and wherefores of what we do. We can't continue to hide behind our server room doors and make fun of "stupid users". Part of the reason they are stupid is because we have not done our part to educate them.

The changes that are coming at work will have major impact on me and all of my users. Now I have a decision to make, will I lock them down and tell them to "shut up and  go color" or will I work to make sure that they are on my team in keeping everything secure?

1 comment:

Security Catalyst (Michael) said...

I hope you find a way to get them to be "part of your team." Of course, not everyone will be, and for them, I'd have some crayons ready!

However, I meet with success when I help relate security (something people are generally unfamiliar with) to something they know or care about (myspace with kids, identity theft). Then I explain how the steps they need to protect themselves are precisely what we do at work.

Lightbulbs don't go on for everyone, but for those that do, we have some new champions in the crowd.

We can talk about this more in the catalyst community if you want. Clearly, I'll do what I can to help!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.