Business-Focused View of IT Security
One of the best lessons I learned as an industry analyst was taught to me by my wise friend Chip Gliedman at Forrester: If I build a 10-foot wall around my house for a thousand dollars, I may feel secure. But what happens when a fence salesman proposes to put three feet of barbed wire fence on top of my concrete wall for another grand? I have to decide if the extra height makes me more secure, and if so, whether it is worth all that money.
Of course, an intruder can still rappel down from a helicopter. So the wall is not enough and I begin planning a concrete dome. When we focus on security, we spiral toward over-engineering and bad decisions.
Most security managers and consultants fall into that trap on occasion. We dream so much about all the bad things, we lose touch with the motivations and goals of business managers to whom we serve.
There is a more natural way of achieving security â focus on the business. If I am a business manager serving a new application to my customers, I need a few basic things.
- I need to know who my customers are, with some level of confidence.
- I must ensure that they can do everything they need to do.
- Assuming I have many customers doing many things, I need a simple way of managing it.
- And at the end of the day I need reports telling me who did what.
Now, with no explicit talk of security, I just listed the four fundamental categories of security: authentication, authorization, administration and audit. Businesses also want something other than security. If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options. She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers. Or she could take all the money, put it in piles on the street corner under a clipboard that says, âTake what you want, but write it down so we may balance your account.â That wouldnât work either, obviously.
The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached and give customers a plastic card for authentication and auditing. Security was never the point. The bank had a business objective and achieved it by using some security. That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.
If I want to secure my building, I can encase it in layers of concrete and steel. But no one will be able to get in or out. If I want my network to be secure, I can install a thousand firewalls and throw all my PCs in the sea. I will have a secure network, and Iâll also be out of business. In other words, I can attain higher and higher levels of security, but often at the cost of the thing I was trying to secure.
The clearest thinking CISOs have discovered some key considerations for ensuring that align security measures with business objectives. Technology vendors, too, like Symantec, SecureWave and Promisec, to name a few, have incorporated these best practices (some more than others) in their products.
Â· Securing the perimeter isnât enough. Even if a security architecture can authenticate users and inspect machines at the network edge or as the connection is happening, the most obvious and glaring threats slip right through. Monitoring and controlling the movement of data on endpoints gives an organization tremendous protection since most unauthorized uses of data are performed on those endpoints after theyâve already successfully attached to the network.
Â· Identifying internal threats are as important as catching outsiders. Now that basic firewalling is common practice, organizations should turn their attention to internal threats. After all, insiders account for at least 70% confidential information breeches.
Â· Periodic vulnerability assessments leave gaps. Of course itâs a good idea to perform comprehensive security audits of one type or another. Malicious behavior, however, happens daily, so complement your routine audits with technologies that monitor actions on endpoints with more diligence.
Â· Device protection is not endpoint security. Hardening an operating system, disabling a USB port, and locking down certain functions does not equate endpoint security. Securing the endpoint means monitoring and managing the endpoint. Remember, we donât want to dip it in concrete. We still want to use it. So watching for actions that disable the personal firewall or re-open the USB part is critical, as is quick remediation once the change is detected. Just like at a casino where dealers are watched by floor inspectors who are watched by territory inspectors, your endpoint security monitoring should be layered and constant.
A business-focused approach enables companies to achieve their objectives by using some security â security is a way to help companies achieve their goals. This paves the way for looking not just at perimeter defenses, but identifying internal threats, eliminating vulnerabilities, making data more reliable, and spending less administrative time on correcting errors. Once you think your job is security, you are doomed. Our job is not to secure the network. Our job is to secure the business.