Managing the complexity of information security
Bruce Armstrong
New Direction - Boardgame Developer See launch of Zig Zag Tag on Kickstarter soon - if you like it, pledge it!
Managing the complexity of business and IT security is like having a quarantine ward which every employee, contractor and guest has to be free to walk though.
We recently ran our security assessment, called RapidReview, on a company that saw it's R&D appearing as competitors offerings while they were preparing to bring new products to market.
The assessment, which is based on ISO27K, looked beyond just IT security to create a profile of the security posture of the whole organization from the reception to the boardroom. After all the interviews, checks and tests, they scored 19%. A serious fail, which explained the loss of their R&D. The road to redemption for them will see them make significant improvements initially by focusing on the areas that have nothing to do with IT.
Security is a whole-of-enterprise issue, not simply an IT problem. The news is full of articles about hacked site where the data is stolen and either published (Ashley Madison, Sony) or sold (The Home Depot). Most security breaches and data exfiltrations aren't the result of brute force attacks through firewalls. Most involve social-engineering, poor employee training, or poor HR practices.
Assuming that you have nothing of interest to others in your business would be naive, at best. If you have nothing worth stealing you're not really in business. Even if you don't have patents and other intellectual property, you do have customer lists, usually with account and bank details; and you are responsible to keep that information confidential.
Smart security is not only about stopping the bad guys from getting in, it's about stopping them taking the information out of your business. IT's primary security focus for the last 10 years has been about building walls to keep the bad guys out. This works well, until they get in. What happens next is typically mayhem and madness, a lot of long faces, head scratching and sometimes finger-pointing. To avoid this there are some changes in thinking that you may want to consider.
Start by assuming the bad guys can get inside your network, if they really want to, and they will try to access your data and find your trade secrets, customer lists, and private information. This doesn't mean you make it easy for them to get in, but is a change on the current thinking that walls and moats (a.k.a firewalls) can keep them out.
Look at the access you provide to staff, guests and contractors to your physical space - for example, how hard is it to walk into a room and plug a laptop into the network, for instance?
Do you let staff use personal devices at work? If so, is there a separation from your company network? Can staff use social media from their desktop? Can they email files outside your organization? Can they download data from workstations to portable storage devices? What training do you provide on security - physical and information?
Looking at your network, are there zones of control and access, or is it a single wild walled environment? If the bad guys were in there now, how would you know? What could you do about it? Could you track where they have been, what they have done, or what they have taken? Can you get rid of them and know that they are gone?
That's a lot of questions, but it's really only a small window to the information that you need to understand to know your current, real information security status. There's much to know and understand to manage the complexity of security.
The new world order is not about the next generation of security software or appliances, its about taking a whole of business approach to information security. Do you know what you don't know, or are you willing to guess and spin the wheel of fortune on the outcomes?
Bruce