Security Silos

Something that I've noticed over the years is that lots and lots of companies secure their environments in silos. Each team, division, LOB or whatever is responsible for securing their equipment and they do so at their leisure and discretion. Not only that but within these silos there are other silos. Whoever is responsible for a particular device (server, router, switch, firewall, etc) secures it as they please or not at all.

Traditionally most people who are not security professionals and who get tasked with managing a device only secure the obvious. I've seen servers that have no admin password and only basic folder level security. They were deemed to be secure. I've seen routers, switches and firewalls that were managed via telnet with weak passwords and no password on the console. Then there is the whole "one password fits all" mentality that many companies have. I call this "Security Silos". It's security done in bits and pieces with no consideration for what is going on in other parts of the company in regards to security. It's the "my device is secure and I don't care about your device" syndrome.

What this misses is 2 very important pieces of information.

• A device is only as secure as the weakest link in the network it sits on.
• Security for the sake of security alone is no security at all.

You can lock a server (or any device) down to where it's next to impossible to get into it. Yet if the router that routes traffic to it is insecure then the bad guys will be able to get to the server and pick away at it little by little until they find the chink in the armor. Or they will sit there and watch all traffic into and out of the server until they find something that is of use to them and use against you.

If you secure a device just because it needs to be secure then you are missing out on the big picture. You don't secure a device just because it needs it. You need to understand the purpose of the device in the overall picture of what it is that the business is trying to accomplish. You then secure that device in ways that enable the business to work optimally while remaining secure. This can not be done effectively in silos. Go back to point 1.

Companies often lack the vision and understanding of a overall security program. This is basically a company wide umbrella that covers all aspects of security. It needs to include information and physical (or at least the ability to control physical access to information resources). To truly create this type of program Senior Management needs to understand the need for it and they must support it. The company as a whole needs to be informed about the need for it and they need to understand the purpose of it. IT needs to understand that living in silos will never allow them to truly succeed in their jobs. IT Management and personnel need to be on board with developing a program that will bridge the gap between infrastructure, network, servers, and applications.

If all of these don't work together then you are just spinning your wheels. I'm amazed when I hear apps say that they don't need to worry about security because either the network is secure, the server they reside on is secure or doesn't sit on the internet or that the app itself is secure because it requires a user name and password to access it. There is a lack of understanding of overall security principles between different IT groups. Servers know how and understand server security but they don't understand Network or Application security and the same for the other two.

This is where a overall security plan and program add real value to an organization. It requires leadership and support in order to happen. This is where many programs fail. They get leadership yet management never buys in completely and therefore the program stumbles along. I know that some of you would argue that if the leader was really effective then he would be able to get the necessary support. I agree to a point but I've seen some good leaders who were up against a wall and couldn't get the support. Yet at other companies they were able to get the support and create good programs.  Just as a company can't just decide that it needs a security program and never bring in leadership to create it. You can't will it to happen it has to be lead.

When does security begin?

I ran across this the other day and had to save it for later. Now later has arrived.

It makes me feel good to know that I'm not alone. One of the biggest frustrations with my job is that since they didn't have an official security program before I got here security is often an afterthought. Sometimes that means after a project has begun and often it begins after the project has been completed. Similarly to Mathias so far the best I've been able to do is get a few of the PM's on my team and my signature is required on the final paperwork before something goes live. Unfortunately there are a few problems with this.

• The first problem is that after a project has gone from vision to final testing and is ready to deploy the project team and sponsor get a little upset if security tries to put it on hold.
• Often by the time I've found out about a project it is almost too late to ensure proper security is in place.
• One of the most common things that I've run into is the lack of understanding of the need of security. I regularly hear "It's not on the Internet so why does it need security?" or "You have to have a username and password to access the application so it's secure."

I have been working on, and am slowly starting to see some results, getting the rest of the enterprise to think about the need for security early on. We have a major project coming up that has already asked my input and it isn't even slated to begin until 2010 or 2011. That makes a security guy smile. :)

It's never too early to think about security for an application or a project but it's often not the case. Security is still an afterthought in the mind of many and it requires that we not only be prepared to start at the beginning but to also jump in at any point in the process and ensure that security is properly implemented.

Is Your Information Security Program Real or Only a Check box?

We all know that in order for a Information Security Program to really be successful it has to have support starting at the top. The IT manager can't decide that a program is needed and start implementing it and expect it to really succeed. That doesn't mean that it won't succeed but the IT manager will have to do a lot of leg work to make it happen.

Often a company will be informed by their Internal Audit Team that they need to have an "official" Information Security Program in order to achieve compliance w/ Regulations X,Y and Z or to continue to pass external audits. Then they will start the process of finding and hiring a Security Officer and hopefully some staff.

This is all good and well but is it effective? An audit or regulatory initiated program does not guarantee management support. So the program is still going to face a huge uphill battle to succeed. If the program does not have the support from the CEO and if that support does not cascade down to the levels below then it doesn't matter that they have a program in place it will be severely hampered. To further make things more difficult the information security team will be aware of the lack of support and it will affect their attitude and therefore their performance.

A good Information Security Officer will work tirelessly to get the needed support of the CEO and the rest of the C-Level Management team. It's not easy to do sometimes and it surely isn't a quick process. You have to start out with doing what you can and then build your case. You have to show the benefit of what has been done and what can be done.

There are a couple of things that are troubling to some Information Security Officers. Things that can severely hamper their ability to win the needed support. The first is when the C-Level team is practically unreachable. When they are too busy to be bothered by lower level staff. When they feel that other things more important than hearing about the need for information security.

The obvious thing to do next would be to start with members of management teams that do have the ear of the C-Level team. Of course that means that you have to have the support of that level of management and often time that is also missing. This can happen in companies that have been around for a while and that have management that is from the "old school". They have the mind set that says "We don't need no stinkin' information security program". Information Security is new and it is the "hot" things right now and therefore it can be threatening to the "old guard". They see it as being something that they got along without for years and now it has been forced on them. So what's next will it become more important than their teams and take away some of their prestige, power and pull with upper management?

These are some pretty big hurdles to overcome in lots of companies. They can frustrate security teams and have to be overcome. So what is the answer? First, the Information Security Management has to keep a positive attitude around the rest of the staff. They have to be diligent in building their case and getting it in front of those that matter. Start small and gain the allies that you can. Use them to gain more allies until you have what you need to present your case. During this phase you have to do two other things. 1) You have to be building your C-Level case so that it is rock solid when you present it. 2) You have to do what you can to secure the environment and get the program going. You man not be able to do all that you want but do what you can.

Keep on keepin' on and success should soon follow.