It’s not uncommon for folks working in information security to develop a certain degree of pessimism – after all, most security programs fail at one point or another. The odds are indisputably stacked against enforcers of digital security, with successful defense requiring continuous vigilance nearing or at perfection, and a successful attack requiring just one small mistake or vulnerability. It’s a difficult situation, to be sure. But it shouldn’t be cause for despair, and it certainly shouldn’t drive security practitioners to let their efforts slide into mediocrity.
Why Security Fails and What You Can Do About It
The fact is, there are a number of common issues behind security failures, and once identified, it is possible to take steps to avoid them. Here are four of the most frequently seen problems in security programs, and specific ways you can address them and make your organization more secure.
1) Human error
Obvious right! Whether you expect people in your organization to use technology securely or comply with carefully crafted policies (or most likely, both), human error will intrude. Technology will be misused. Policies will be misunderstood, forgotten, or ignored. As a security expert, it can be tempting to blame the people in your organization and throw your hands up in exasperation. But exasperation does no one any good. Instead, remember: security is your job and not the users or the executives.
We like to say that security is everyone’s job and that statement is true. However, only InfoSec professionals have it as their primary job. We also have to realize that today’s security threats are so sophisticated that even seasoned security professionals sometimes fail to recognize them. Instead of blaming others, it’s important that you set realistic expectations of the folks around you – people whose top priorities and specialties aren’t security.
With expectations in place, you can prepare properly for the probability of security failures. This is key because your defense is only one aspect, albeit the most important, of a successful information security strategy. You also have to be ready to detect and respond to any incidents. Now, this doesn’t mean you should expect or allow your organization to ignore security policies and sound security processes. Instead, develop policies and processes that are tailored to your companies’ needs, goals, and capabilities.
You can also build reasonable disciplinary action into your organization’s rules – and tie management incentives to security outcomes. Rewarding good security practice and discouraging more egregious oversights can help mitigate the challenges presented by human error.
2) Lack of management support
This is another familiar story for many security practitioners. All too often, security simply isn’t a priority for senior leadership. This trend does seem to be changing, with high-profile breaches grabbing the attention of some boards and executives, but many security teams still have to contend with relative disinterest from above. How can security professionals overcome this institutional challenge?
First, it’s important to remember that your business’ overall goal is to deliver a profitable product or service – accept this as a reality and consider ways to work within those constraints. Think about ways you can tie security goals to larger business outcomes and objectives. Think like an owner of the business and put yourself in their shoes. They have to balance all types of business risks and allocate a scarce amount of resources to deal with these risks.
We also have to realize that business executives may be more risk tolerant than we as InfoSec professionals. We can assist the organization by ensuring they understand the risk in a meaningful, not chicken little way. Maintain your credibility by keeping the threats you raise in proportion. Don’t inflate risks or speculate about possible issues – keep the challenges you discuss with leadership grounded, relevant, and reasonable. This will pay off when you need to report on threats that are highly urgent.
3) Security is stuck in a silo
Some security departments can feel walled off from the rest of an organization. But that’s a problem: effective security requires insight into the entirety of a business. Left alone in the security silo, you will generally lack both the resources and perspective to make a serious impact.
What can be done? In short, security must integrate itself into critical processes throughout the business such as change control, SDLC, purchasing, IT asset management, and more. This ties into the recognition of business realities above: by understanding how your organization makes money and which processes are crucial to that process, security professionals can initiate dialogues and relationships that may help foster better security throughout the organization.
4) Vendor and technology failures
It’s time to discuss an awkward reality: if most security tools functioned as well as they were marketed and sold by business development folks our current state of security would be vastly better. It makes sense to seek technological solutions to our challenges, and there are some useful tools out there, but security is much more than a question of technology. No software or hardware solution is going to serve as a silver bullet, and often the money spent on technology is disproportionate to the results that you can realistically expect.
Failures of these expensive technologies can often tarnish your credibility with leadership. What can you do? Again, the key is to set realistic expectations. Don’t rely on vendors or software tools to accomplish improbably comprehensive goals or fix all your problems. Focus on sound security processes and baking security into other sound business processes.
When you take a process focus, you will see areas where technology can enable the process. At that happens, perform a comprehensive needs analysis and technology bake-off against those needs. Make investments and assurances in a measured way, and prepare for the possibility of failure. But you can increase your success rate tremendously by following a process-focused approach.
By taking a big picture perspective, communicating effectively with others in your organization, and planning for detection and response measures in addition to defense, it is possible to sidestep some of the biggest challenges and lapses that face security professionals. It’s true: good security isn’t easy, could be close to impossible with today’s threats. But with care and foresight, you can make your organization’s security strategy as effective as possible.