Top 4 Failures in Corporate Information Security
This post is the first in a three part series about security. This first post introduces the top four failures that we see in clients when it comes to information and technical security operations. Our next two posts will each take two of the areas below and cover them in greater detail
1) Fear rather than Risk and Profit Drives Security Initiatives
Too many teams and companies allow their security decisions to be made based on the fear of potential loss rather than focusing on how to maximize total profits through loss minimization at an appropriate cost. Business is inherently a risky enterprise and the only way to reduce your business risk to zero is to get out of business. Every security (or other risk reduction) initiative you undertake has an actual cost to you in terms of capital (equipment), expense (headcount) and lost opportunity of revenue associated with slower processes or lower revenue that is quantifiable. All of those costs should be evaluated, in a level headed fashion, against the potential loss you expect. Why would you possibly spend $10M to offset a potential (probability = .05%) loss of $8M happening sometime in the future?
2) Team Doesn’t Understand the Financial Driver of the Enemy
While there are folks who will hack your site or corporation simply to gain a reputation, the vast majority of the bad people out there are in the business of being bad to make money. Bad guys act when the perceived benefit of success is greater than the perceived cost of effort or failure. As such, security needs to be more than just locking the doors (increasing the cost of effort for the bad guys), it needs to be about lowering the perceived value of your belongings and increasing the perceived cost of getting caught. Hide your valuables and rather than making them just difficult to obtain, think about ways to make them meaningless to other people if they should get them. Remember that many incidents involve employees who already have the keys to your house – so make sure that if they get away with something that it isn’t of value to them once they leave the building.
3) Security Decisions Made by the Wrong Team
In the words of Garrett Hardin, the famous ecologist and author of “Filters against Folly”, for responsibility and delegation to work the person making the decision must be held accountable for that decision by the people it directly and indirectly affects. This is almost never the case for security initiatives. Security is about risk reduction at an appropriate cost and as such it is a question for the general manager. Unfortunately, what typically happens is that security teams are given a goal of reducing risk as much as possible and are asked to justify a budget. As risk has a direct impact to both revenue and cost, it is something that should be managed at the highest level of the company with input from the appropriate technical resources.
4) Overemphasis on Firewalls as a Deterrent
Firewalls are perimeter security devices. They serve a similar purpose to locks on your house. But just as you wouldn’t likely put locks and deadbolts on every door inside your house, so should you not put firewalls everywhere within your infrastructure. An overemphasis on firewalls will ultimately decrease your overall availability due to the multiplicative effect of failure well beyond their expected long term benefit as a deterrent. Rather, firewalls should be used as part of a broader security initiative. Just as you likely have locks, a security system, a neighborhood watch and potentially cameras in your home and neighborhood so should you have some number of firewalls in the right places, relationships with law enforcement and a “community watch” program as well as intrusion detection systems within your corporation or platform. And remember, hiding your valuables is as important as locking them up.