Information security is so complex that it's often done the wrong way or not done at all. But I'm not referring to technical complexities. I'm referring to political complexities: the people, power struggles, hidden agendas and related nonsense that make up the average business. Politics often drives security and can largely affect the organization's overall risk management.
The first thing you have to understand is that many people in management believe security is something that doesn't really affect them. I've heard it said "We don't have anything the bad guys would want" dozens of times. A common perception is that security is one of those "technical" issues that the IT folks can hash out.
Many executives will tell you that things are under control and everything has checked out just fine; after all, the company recently passed its audit and is in compliance with government laws and industry regulations. The thing is, many executives are often told one thing about security -- or they just completely misunderstand it -- but reality, as this chronology of data breaches illustrates, often proves otherwise. Best-selling business management author James Champy summed up this phenomenon when he said, "Many executives are insulated from reality and consequently don't know what the hell is going on."
The essence of security is controlling who has access to what. Interestingly, many executives are this way when it comes to funding information security initiatives. It may not make sense, but "it's not in the budget" usually means "it's not on my radar and therefore it doesn't matter." One thing's for sure: Audit and compliance are on the radar of most folks in management, so perhaps security can be addressed that way. In fact, audit and compliance are often the extent of "information security" in the business, but that approach is very short-sighted and is not sustainable.
Managing information security goes way beyond checklists and a snapshot-in-time status. Typically, it requires a decent, but not unreasonable, investment in things such as enhanced end point and mobile controls, improved Web security, patch management tools, awareness training and periodic security assessments involving ethical hacking tools and techniques. The soft side of security, which requires responsibility, oversight and process tweaking, is much cheaper. The labor is already there, it's just a matter of people choosing to do the right things – which happens to fall back on leadership and the culture that's been established. Management often overlooks this low-cost (arguably free) element of security and focuses only on the technical costs.
Digging deeper, it's important to understand that people have varying agendas. Turn of the century satirist and journalist Ambrose Bierce once said politics is "a strife of interests masquerading as a contest of principles. The conduct of public affairs for private advantage."
Don't ever forget this. Some people want to be able to flex their muscles and enforce their own policies. It gives them an ego boost.
Others want to please the internal audit group or outside auditors. It makes it look like things are being done for the good of the business. I've even seen some people go through the motions of performing in-depth security assessments only to end up completely ignoring the results and recommendations. Still others will go to great lengths to ensure that not a single dollar is spent on something that doesn't provide any perceived value. In the end, information security is not an on/off switch that's easily flipped just because it seems important. It's way more complex.
Don't think that the complexities of information security are someone else's issue to worry about. As the Greek statesman Pericles once said, "Just because you do not take an interest in politics doesn't mean politics won't take an interest in you." It'll track you down, smack you around and show you what the real world is all about. Know it and understand it so you can play along.
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at email@example.com.
This was first published in September 2009