Security Professionals are Plagued with Lack of Resources, too Much Work, too Little Time, and Competing Priorities. As a Result, we end up with Incomplete Security.
If information security were simple, I would have been out of a job years ago. But we don’t need to make it more complex than it is.
Information Security is a complex system. It’s made up of hardware, software, and wetware. Hardware is the easy part, which we use daily in the form of computers, servers, routers, firewalls, and the systems that support your environment. Most of us just buy the hardware we need to run our applications and support our mission critical systems. Hardware fails, but that failure is normally just the hardware “breaking”.
Software includes our favorite applications, antivirus software, and things like the firewall application that runs on the firewall hardware. Software is trickier. We have applications that manage our cool data, and databases that hold it.
The “Wetware” is actually the people, and is still the under appreciated part of this equation. The problem with wetware is that there is so much involved. Classical information security practice will tell you to define policies. Then based on policies, you develop procedures and training. You conduct the training and try to do some verification that people are doing what they are supposed to be doing. That does not sound so hard in theory, but in practice it has proven to be problematic.
We rely on people to write the policies. We rely on other people to read and follow the policies and standards. We rely on people to verify compliance and test systems. But, as people, we are flawed. We don’t always follow the rules. We don’t always do what we are told. We are plagued with lack of resources, too much work, too little time, and competing priorities. And, as a result, we end up with incomplete security.
A significant part of this is just due to human nature.
For some perspective on this, over some 80 assessments I asked clients to estimate their own level of security, using the following 0-5 rating scale:
0.0 – No functional security – think “badges, we don’ need no stinkin’ badges”.
1.0 – Limited, often ad/hoc security
2.0 – Basic security, basic planning, some standards
3.0 – Generally accepted standards of good practice
4.0 – Effective security, with planning, documentation, and validation – high regulatory requirements
5.0 – Essentially “perfect” security – best security available for a particular control area
Over the 80 assessments, the average score came out to just about 2.0. In each of those assessments, actual scores were gathered from hands-on inspections and interviews with technical staff. Assessments included risk assessments, physical intrusion tests, logical intrusion tests, application tests, war dialing, social engineering, and other related work. At the same time, we asked technical managers and executives where they expected their scores would end up, based on what they were currently doing. The average “expected” score for these same assessments was about 2.7. That showed a difference of about 25% between the actual and expected score.
Given the variety of detailed validation involved with the individual assessments, the assessment scores are pretty accurate. We can attribute most of that difference to the understanding of the environment that the technical managers and executives inhabit. So what’s the difference? The difference comes from a number of reasons, including:
1. The organizations have policies, procedures, and standards that the technical managers and executives know exist, but the staff within the organization are just not following.
2. Technical staff managers and executives considered technology, processes, and standards that had been planned, but had not yet been implemented by technical staff.
3. Technical managers and executives are simply victims of wishful thinking. The significant point is that the difference exists. For these 80 assessments, management pretty consistently overestimated the strength of their security programs.
This complicates security for everyone. Management thinks they are more secure, therefore they are willing to budget less and prioritize less for security initiatives. Technical staff has more work to do than management appreciates. Audits should be easier than they really are. Staff does not need as much training. The organization obviously needs fewer staff since they are not as bad off. It is a Catch 22 – we can’t fix problems we don’t know we have.
This perception gap does not exist for all companies. There are many organizations that really are as good as they think, and in some cases, even better. But, we saw that the perception gap was true on average, and was true for most of the 80 assessments reviewed.
So, how do we fix it?
That also is not as hard as it sounds. The first thing we do is recognize the problem when it exists. We need to pay attention to the security controls we identify and put in place. IT and security professionals need to be honest about what is put in place and what is working. Organizational staff needs to be honest about what policies, procedures, and training practices are working (and are not). Management needs to ask the right questions, and then make sure they are getting the right answers – not the “correct” answers, but the correct answers. Maintaining an active security management program helps, especially if it includes compliance management and security monitoring. But more importantly, the security management program needs to be enabled to accurately reflect the true state of the organization.
The rest is good standard business practice, since the main purpose of information security is to make sure that we can meet our business needs in a safe and secure manner.
