IT Security Can Be a Double-Edged Sword

By Avery Moore?

Senior Director/Security

Jazz Solutions, Inc.?

Implementing IT security controls can be a double-edged sword for many businesses.??

On one edge is the need to implement controls to enhance security of the information system. The other edge requires that some compromises be made in order to actually implement those controls.?

We see examples like this constantly in our connected world.??

Ars Technica published an article in May detailing an issue with the “Find My” app for iPhone. This feature allows a user to locate a lost iPhone. That feature enhances security for the user. But the trade-off, as Ars Technica stated, is “when you turn off an iPhone, it doesn’t fully power down,” making it possible to run malware.??

When trying to run a security compliance program, IT professionals are often conflicted by these constant trade-offs.??

A compliance checklist may require a certain setting to be turned off, but a security application that answers a different compliance requirement needs to have that same setting turned on. In the case of the iPhone, the underlying security issue is that the location service allows you to locate your lost device: Good for Security. On the other hand, the always-on Bluetooth chip could allow malware to run: Bad for Security.?

But what it really comes down to is risk management.??

An organization must continuously strike a balance between security and functionality. Security professionals look at the world through the lens of “CIA”: Confidentiality, Integrity and Availability.??

However, we often overlook the “availability” aspect of that formula: A system that has been completely turned off is not secure because it’s not available for use by its intended users.?

How can an organization analyze these trade-offs??

1. Know the threat environment: This is not easy but can be done by keeping an eye on the latest news (e.g., breaches, attack methods, threat actors, current events), and subscribing to threat feeds.??
2. Know your system: Knowing what software your system is running is key to quickly understanding what vulnerabilities you may have and what your risk is.?
3. Know your users: Security teams can never forget that security does not occur in a vacuum. Without the users, an information system—and all the security measures around it—are pointless. Understanding what your users are trying to accomplish can inform what measures you should take to protect the information system.?

Finding that “sweet spot” can be difficult, but it’s not impossible. And it’s not static. It’s important to always understand the dynamics of the threat, your environment, and your users, then update your risk response as those factors change.?