Security's Everyman

Security's Everyman

Wednesday, February 28, 2007

Business or Security Experience?

I ran across this post from Security 360 the other day and saved it until I could read it digest it. Tonight I took the time to do so. Here are my thoughts on this.

There is a disconnect between security and not only vendors, but also most everyone else. People don't get security. Whether it's the end user, the network guy, the security manager or the vendor. Vendors expect that the IT guys get security, Management expects that the vendor and IT get security and the end user expects that they will be protected no matter what they do.

Often IT (especially in small companies) doesn't understand security. They are lucky to have someone who can effectively do networking, much less securely configuring their equipment and environment. They think that running AV and a firewall is all they need. When a new product is to be implemented they expect it to be "plug and play" and secure out of the box. Vendors give them this idea or they try to sell them consulting services to ensure that the product is configured properly and securely. That is a great idea unless the company can't afford the expensive consulting fees.

Management often expects that security will just "happen". They throw money at it and the problem goes away. Of course if they don't know what it is that they need to secure and what to secure it against they are just throwing money away. Not to mention they need properly trained security professionals to ensure that it is done right. If that isn't' the case then management expects the vendor to "fix" the problem for them. Again, not a bad idea, unless the vendor isn't security conscious (as we have seen here). There is much danger in this mindset.

Then there is the end user who expects that IT has all the bases covered. If that is so they can do what they want without danger. We talk security and we give them the impression that we, and therefore our networks, are bulletproof. So they feel the disconnect even if they don't understand it.

So, long way around to get to my point. Should Security Management be business oriented or technical oriented? Both. If you have too much business and not enough technical then you don't know what your guys are doing and if they are doing it effectively. If you have too much technical and not enough business then they have a hard time aligning with business processes. I'm not sure whether or not a MBA is necessary, but it doesn't hurt as long as there is a balance of technical understanding. Security managers have to stay sharp in what is going on in technology and business. Security isn't a second class citizen anymore and we can't continue to treat it like it is.

1 comment:

Michael said...

Ahh, I don't think user education is broken. On my own post I wasn't clear that those planned posts were going to be pretty much satirical.

At any rate, I'm not 100% behind user education. It will help, no doubt, but it can only go so far, kinda like teen pregnancy and drug use won't ever go away no matter how much education there is.

But, no, I don't think user education is necessarily broken by any means. :) I should have been more clear on that in my own ramblings today.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.