Security's Everyman

Security's Everyman

Saturday, July 07, 2007

Security Urgency

There is a trend in information security (actually in IT and life in general) to tackle the urgent issues first. These are the issues that users are screaming about, management is on you about, auditors have written you up about and then things that get you noticed. No one gets noticed for the security flaw or vulnerability that they found, patched and as a result prevented a breach. You get noticed when you put out a fire that other people see. Even if that fire is in the middle of an field and is surrounded by a mote full of water. People see you out there jumping up and down putting out that fire and they applaud you. This is where the security professional needs to make a change.

How do we do this? We can't stop fighting fires because if we do then we will lose battles that we can't afford to lose and we need others to see us succeed. We have to be proactive and plan. We have to know our environment and what the threats to it are. We have to put together a plan to protect our data and get management buy in. Being proactive and getting buy in can be our biggest challenges (next to time) but they are crucial to success. Not only success in getting our plan implemented but being successful in getting out of the "Tyranny of the Urgent" cycle.

This problem is multiplied for those who are either solo IT/Security departments or part of a small shop. Fighting fires can and often does take most of your time because they are always there. That is why it's important for management to realize that just because it's a fire doesn't mean that it's a priority. You need to have a policy in place that defines what is priority and what isn't. A problem that affects only one user or doesn't impact business is not as important as getting a patch deployed that will prevent a breach. Sure the fire is visible and puts off heat where as the patch is not seen by anyone but you but it is important and has to be done.

So what is it that needs to change. Our policy? Our plan? Our mindset? Ensuring that all three constantly updated and evolving is a good idea but our definition of urgent and our priorities are key to keep us out of trouble and keep us from stomping out fires in the middle of a field surrounded by a mote full of water.

1 comment:

Jason said...

Interesting post Andy - I'm one of those solo IT departments and spend most of my time putting out fires or waiting for the next big fire. You're right though - no one pats you on the back because the recently discovered Trojan/Virus 'X' never made it into the building thanks to your sterling work but they soon notice when the system goes down because there has been a power cut and the request for the additional UPS was denied for 'budgeting reasons'.

I'm not sure about the policy though or the plan - but the mindset definitely! I have spent years of my life trying to change mindsets and some you win and some you lose. Some of the businesses I have been involved with in the past are interested in one thing only - chasing revenue - and that sort of thinking leaves an awful lot of fires in its wake that need putting out by somebody.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.