|
By Mike Meikle, Hawkthorne Group
I recently answered a question regarding why the security policies for remote access were difficult to manage and adapt to change.
The question came through LinkedIn from a PR professional: “So why is the policy so hard to adapt? Is it an issue of internal politics? Network security not being flexible enough? Or is policy actually not hard to change at all and I’m just picking up on ‘the complainers’?”
I dredged up all the fun and experience I’ve had with managing security for an organization and whipped up this response to the gentleman: “I think you answered your question when you asked, why is policy so hard to adapt?”
Internal politics first off has doomed many sensible security efforts. From “Why can’t the VP have administrator access remotely to the email server?” to “I don’t want to have to remember/change my password.” Which usually leads to a bare-bones approach to security as a whole. A metaphor for this is having a screen door on a submarine.
To touch on your next point, flexibility of network security, it’s not. Even though a hacker can break a password in three days with a mid-level system and a high-end graphics card, we haven’t adapted to this new reality. One-time passwords, tokens, biometrics are still only utilized by a small segment of the population, mostly at government and high-level financial institutions.
Security professionals have a hard time making the case to upper management for security “best practices,” let alone more advanced technologies such as intrusion detection and prevention, etc. So most companies go by the axiom that a “locked door keeps an honest man honest.” These companies probably know that a dedicated individual, within or without, could walk off with valuable assets without too much trouble.
Finally, you are not picking on complainers, in my opinion. It all boils down to the user and his/her acceptance of the policy or solution. Without user buy-in to whatever you are selling or implementing, it will fail or be resisted heavily. Folks in IT are usually poor sales/marketing people, which is why IT and the business should work together on designing their solutions to fit the needs of the users within the company.
Of course this would be weighed against a cost/benefit analysis and risk. A heavy-handed approach by IT or upper management will almost always guarantee a spectacular waste of money and time with an eventual bare-minimum compliance.
The solution? This goes all the way back to the strategic plan of the organization in question. Security has to start from the top down and be integrated in whatever solution, not tacked on as an afterthought.
Also it involves training. Training for both employees and a company’s customers. Managing the expectations of both parties will help smooth the path for future adjustments.
Of course, security is but one component of the corporate IT environment. This is why the business and IT need to work hand-in-hand on a variety of issues. An adversarial relationship between IT and the business will cost a lot of time and money.
Mike Meikle is a senior consultant and senior program/project manager for several organizations across government, health, telecommunications, corporate and education sectors.
Copyright © 2009 - 2010 WireHead Security, LLC
Only registered users can write comments.
Please login or register. |
