Security Management for 2014

futureSecurity seems to be, for many, the idea of keeping everything clinical clean, not getting hacked and preventing introducing new risk to the equations. Well guess what, there’s no such thing as clinical clean in security, and I hate to break it to you, but IT security is about minimizing loss and reducing risk. It is not about being un-hackable, because we all know that’s not possible. I dare to say, many security managers today are introducing more risk in their environment by their blatant decisions, saying NO to just about anything that may or may not introduce new risk.   

What I’ve seen in security is the quest or illusion in gaining perfect security. This involves security managers saying “No” to just about anything they can. I usually can’t settle with just a “No, you can’t do that”, because I know better. Especially when I know the proper attributes to the risk picture has not been explored or discussed yet.

This article contains my attitude and thoughts towards not accepting “No” as the only answer, and my opinion on how I think security management should be done. Whether I am right or wrong, I’ll let you be the judge of that…

Be a part of the solution, not the problem

If you catch yourself, as a security manager, saying “No” to the organization, you might notice that you are distanced out, ignored and neglected more and more. Perhaps no one is coming to consult with you anymore? To many this may be understood as an organization that doesn’t want to be secure, employees that don’t care or just people being stupid. It feels like you are swimming against the current! I’ll let you in on a small advice; it’s probably not they who are the problem, most likely it is you.

You shouldn’t make it so anyone coming to you is doing it with contempt and negativity! If you find yourself in this situation, it can soon enough become a downward spiral for your entire security team. It won’t be long until the organization look at you as part of the problem, not the solution, and they will go out of their way in order to evade you with the ultimate goal of having their problems solved, one way or another. They will do what they can to circumvent your policies, procedures and best practices, just because whenever they come to consult with the Security Team they are just faced with more problems and no solutions. They need to have their problems solved, not picked at!

Anyone approaching the Security Department should be welcomed and thanked. I’d offer them a cookie for stopping by. They didn’t have to come to you, but they did! Remember that the people approaching you are your customers. You want to make them happy, and you want them to return to you for their next inquiries. All this without forgetting your overall goal, namely protecting the business and adhering to its strategy and visions. Impossible? It shouldn’t be.

Protecting the business, while still being a “Yes Man”

Now, I’ve said you shouldn’t say “No”, but you may argue, some things are just too dangerous to put into your organization! That is why I want to prove my thinking with a use-case; a case where you are approached by users in the need of Dropbox. I won’t go into great detail in the assessment; I will however shed light on some of the important questions we need to ask ourselves. It is important to know that we can’t cherry pick the problems you want to assess, and those we don’t. There is a solution, and the users need to understand it.

So let’s pretend the organization has approached you with the request, they want to use Dropbox in order store files. A very important thing to remember is that the customers are not necessarily presenting you with the solution, but instead they have a problem they need solved and in explaining their problem, they elude to their own ways on how they would solve it. In this case they most likely need to store files and have them accessible from multiple networks and multiple devices.

Why am I calling them customers? Well, I call the companies employees for customers, even if they are my colleagues. Thinking about them as your customers is a good thing! Happy customers is returning customers; returning customers is good for business.

So with Dropbox issue at hand, it may be tempting to just say “No, you can’t have Dropbox. It’s unsafe because we won’t know where our files will be stored, and the potential for data leak is increased. We need to have appropriate control of where our files are stored, and Dropbox is no solution for that”. Now wait a minute. What do you think your users will do next? You haven’t presented them with a solution, instead you’ve only attributed to the problem. The inquiry still needs to be solved in one way or another! Your customers will most likely manage to solve their own problems, but without involving you. This is REALLY bad and probably worse if you accepted the use of Dropbox, or at least provided an alternative.dropbox

Let’s think about how we can solve the Dropbox problem, but at the same time staying aligned with security concerns of the organization. Ask yourself the following questions:

  • Have we already solved this problem? Maybe you already have a solution in-house you can use. Perhaps you already have some kind of internal storage which could be made accessible through VPN?
  • What are you trying to protect? What data are you afraid of losing through Dropbox?
  • Can data already be lost or exfiltrated through other, easier means? E.g. email attachments, USB thumb drives and the likes.
  • What are you actually worried about? Foreign states or competition spying on your data? Security vulnerabilities in the storage solution?
  • What other options do you have? Are there any other vendors in the market, providing a solution which is more aligned to your security policies?

With the above questions answered, you may be able to further conclude on whether or not Dropbox should be allowed. Perhaps you don’t want to accept the risk by using Dropbox, but the customer still needs his problems solved; what other options are there? There’s always the option to create your own private storage cloud. This could potentially be very expensive and hard to maintain, but it might be a good choice if you have the money for it. Otherwise there are many other vendors for Dropbox like functionality, I’m not talking about Skydrive or Google Drive. I am talking about professional products from vendors like EMC.

Do you see now that saying “No” to the Dropbox question isn’t as easy as you might’ve thought? There are many things to consider and right now you are loaded with a better set of data to further evaluate the way forward. Instead of saying “No, you can’t have this” you can say “Yes, you can have this, but it will cost you x amount of $ as we would require to purchase through EMC as Dropbox is not per security standard of our company”. If the customer can hustle up enough dough then why not let them have it?

The solution

antique key

The Security Department is primarily there to protect the business.  Keep in mind that you are all on the same team, even if the employees may be viewed as the organizations biggest risk. I challenge you to also think of them your biggest ally. You probably don’t see them as your enemy, but have you heard of the phrase “keep your friends close, and your enemies closer”? This applies to security. Some security people will deliberately distant themselves from the users because they consider them “stupid” and “ignorant”. This is as wrong, and we should instead approach them and befriend them.
Our mentality towards problems should be to approach them with a way to solve it. We have to force ourselves to think solutions instead of only problems. Thinking about and defining additional problems is of course good when analyzing a problem, but we have to stay on track for a solution. If your entire meeting has gone to waste just by pointing at and defining other problems, something needs to change. The focus is wrong! If this applies to you, make sure your meetings end with defined actions, a timeframe, responsible people and meeting minutes sent out to all.

Being able to be pragmatic is a really important quality which I think compliments Information Security in a brilliant way. When I look at the definition of the word, I immediately fall in love with the word:

prag·mat·ic
dealing with things sensibly and realistically in a way that is based on practical rather than theoretical considerations.
“a pragmatic approach to politics”
synonyms: practical, matter-of-fact, sensible, down-to-earth, commonsensical, businesslike, having both/one’s feet on
the ground, hardheaded, no-nonsense;

This is how Security Management should be done! Sensibly and realistically…

Bottom line is, do not leave someone hanging. If they have an inquiry, make sure it is properly and adequately answered before you sign off with them. Think for a minute about the following quote by Robert Estabrook:

 “He who has learned to disagree without being disagreeable has discovered the most valuable secret of a diplomat”

With that I want to conclude my article by encouraging Security Leaders of 2014 to say “Yes but” or “How” instead of “No”.

Thank you for reading, feel free to leave a comment!

 

Share
  • G. Mark Hardy

    Chris:

    Very well stated. The “winning combination” of behaviors for a security officer is:

    – provide the same courtesy and treatment for users as your organization does for external customers;
    – determine the root cause of a security-related request (rather than accept the user’s first guess of a solution);
    – never say “no”; learn to say “here’s how.”

    In the example you cite above, a “here’s how” solution might be to use a cloud provider that automatically encrypts data as it’s being uploaded, and securely manages keys (Google comes to mind). Or a third-party tool that auto encrypts/decrypts information resident in the cloud (e.g., boxcryptor.com).

    Rather than prescribe a solution, involve the user in the solution by explaining the risks and the mitigation benefits. Understanding the “why” vastly increases compliance. Plus, a user who participates in developing the solution gains a sense of ownership, increasing likelihood of compliance.

    Bottom line, as a security professional, you are rarely the key resource for your organization (sorry). However, you are entrusted with helping your organization protect its key resources, and if you do so in a way that does not alienate you from the rest of the process, you will enjoy much more success and relevance.

    – G. Mark

  • Gary

    Sounds curiously familiar, Chris. Have you read PRAGMATIC Security Metrics, I wonder, or have we both converged on the same issue? Either way, well said sir! Hear hear!

    Regards,
    Gary Hinson http://www.SecurityMetametrics.com

    • Hi Gary. Sorry if you feel any indication of plagiarism. Would you like to point out whatever makes you feel curious about such indications? I have zero tolerance of plagiarism. I have also never heard or read your book, sorry. I will definitely look into it!

      • Gary Hinson

        Hi Chris, no worries! I think you will enjoy the book. We are thinking along the same lines. Keep up the good work! Gary.

    • Gary, your book was published later than my article. I suggest you use my article as an reinforcement of your book instead of anything else. Btw, the next word I am planning to write about regarding security leadership is ‘conservative’. Perhaps you did some reflections on that in your book as well?

      PS: Congratulations on publishing 🙂

  • Very good site you have here but I was wondering if you knew of any forums that cover the same topics
    talked about here? I’d really love to be a part of online
    community where I can get suggestions from
    other experienced people that share the same interest.
    If you have any recommendations, please let me know. Cheers!