Security's Everyman

Security's Everyman

Thursday, August 30, 2007

Where Does the Buck Stop

Dr. Anton asks the question "Where do you draw the line: Security Responsibility?" Well this time the answer isn't "It depends". The way I read the question after reading his post is, Where does the buck stop? The buck stops here. It stops with us. It is our job to secure the environment and part of that job is to ensure that the users know how to practice security.

It would be ridiculous for IT or Security to have 100% responsibility. If we did then things would be locked down so tight that the users couldn't get anything done. If we gave them all of the responsibility then we might as well pack up and go home. That is unless you want to spend your days playing PC clean up or pushing out new Images every few days.

We shoulder most of the burden. It's our responsibility to make sure that the systems are hardened and that the controls are in place and that the policies (both written and system) are effective and to get as much information to the users as possible so that they can do their job (and even their play time) securely. If you have done all you can with what you are given and a system gets owned then it's not your fault (your boss may think otherwise, just tell them to talk to me). If you haven't done all you can and you get owned then it doesn't matter what the user did you are responsible. Users are like little children. We can't send them out into the big bad world without preparing them and expect them to escape unscathed.

So how does Dr. Anton's equation really look? Probably something like Security=85%, IT=10% and Users=5%. We build the security program, create the policies, train the users (and IT), set the rules. IT follows the policies and procedures that come from us. They build the systems according to spec and ensure that the infrastructure works as it should. Then the users do their part and the users do their part and play it smart and safe. Then we are all happy, safe and secure. That is a recipe for information security ala mode.

1 comment:

Dr Anton Chuvakin said...

OMG, this is awesome!

85/10/5 might be that magic formula :-) even though the specific stuff that goes into users' or IT "basket" will probably change across environment and over time ...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.