About IT Security

Working with many customers around the globe and observing the behavior, concepts and attempts in terms of security, I think the major mistake
most IT organizations make, is belivieing in tools only. Tools are tools, so they help you to get things done and let you achieve what you plan.

Most people forget it begins with a plan, with having an idea what security means followed by shaping your strategy accordingly.

Too many IT organization consider IT security as nasty little task they have to work on so they can set a check box in their Excel sheet or drop an item off their agenda. The easiest way is buying a tool. Most commonly I hear things like: "Yes we have an Anti Virus solution in place."
Well, this statement reminds me of the old days when I installed computer games from 3.5 inch floppy disks and was asked to
insert disk 3 of 15. Back in those days the first virus scans came up.
Today, as we talk about cloud services, always on, and computers are an essential part of our lives, a virus scan is a tool you must have on your computer, but it is only a minor part in any security strategy.

Security starts with a mindset, an attitude, simply said it starts in your head and shoud be a routine in your daily life.

You can have the best security technologies in the world in place, but what does it help, if your employees do not lock their computers when leaving their desk.
I stopped counting how often I could have read financial information from employee computers. Even worse I have seen too many admins just going around the corner and leaving their computer widely open, although external consultants where sitting next to them and working with them.

For a while, I used to make funny things, if a co-worker forgot to lock the computer. For example, I sent an email to the team in the name of my colleague, and invited everyone for lunch. The simple idea: No Pain, No Gain!
It helped quite often but also addedd some pounds on my hips. So I stopped following this strategy.

But strategy is what companies need, and also what everybody needs. A strategy that starts with the people,with concepts, with participation of everyone. Tools
should only be addedd once you have a plan.

Let's be clear at this point. Security comes at the cost of comfort.  A very secure environement is not feeling like a cozy couch. A comfortable enviornment
is not built like an army bunker. So the truth is somewhere in between and mostly up to your business needs, customer interaction, local laws and general demand of security in your region.

So if you are an IT admin, just focus for one day and observe your colleagues, IT processes and even more, common routines and "internal best practices".
Look for simple things like:

• Who is walking through the door of your IT department?
• Do you and your colleagues lock the computer screen when leaving the desk?
• Do you log on to servers with your personal account or maybe with as
  administrator/root?
• How often do you hear security during conversations througout the day?
• How common is it to download just tools from the interent and run them?
• In virtualized environments, who has access to the hosts?
• Do you regularly check your servers for a consistent configuration?
• Is your organization using security audit logging?
• .....

Well there are many more questions, but it might be worthwhile taking 10 minutes to start thinking for yourself.

The next big question question I have in terms of security is,
 What happens if we have a security breach ?

There are two ways to look at this question.
First, does it affect my customers, my business, my employees ?
Second, how do we solve this issue? Is there a clear strategy
how to behave and work through this tough situation?

Companies have different needs and each type of business has very
specific security demands which are driven by customers and data assets.
So it is important to understand the impact of a security breach.
You may now say and what about regional laws. I ignore them, as laws
are usually a result of misbehavior related to culture (simply said) and we are
living in an IT wise, globalized world.

Once you have identified a threat, which is sometimes not so easy, what are you doing. According to my observations, most organization enter the headless chicken mode. They have no strategy how to proceed. The best indicator for the
HCM (Headless Chicken Mode) is your inbox. Count the amount of emails going from one side to the other (Ping Pong) ending in numerous invites for task force meetings, typically by different people.
If so, I feel sorry for you as you surely will go through times of extra hours, numerous hours of lost life time and a high heart rate caused by the gallons of coffee you will drink.

I hope you get the point why IT security starts with a strategy. This strategy includes concepts to avoid security issues as well as tactics for solving these issues.

Of course this is just the start of a long walk, but believe me, once you reach the finish line, you life will become easier.

Think Secure !