This post is the last in a 3 part series and will cover the last 2 points from our post entitled the Top 4 Failures in Corporate Information Security. Here we are going to focus on why firewalls aren’t always the best solution to your problems and how to use your security team properly in your risk making processes. We’ll end with a quick review.
Firewalls Can Be Bad Too
Firewalls can absolutely be overdone. In fact, in our experience they are very often overdone. Often firewalls are cited as being necessary to be compliant with certain regulatory requirements or industry standards (such as PCI compliance). Sometimes companies feel they must put them in place simply because similar “comparison companies” have installed them. Many times the driver of this need isn’t as much the requirement, standard or “comparison” company as it is misinformation on the part of firewall vendors or decisions made without complete information.
Firewalls, besides not being free either in terms of labor or capital (obviously), almost always reduce your availability and decrease your flexibility. Like any other piece of hardware and software, they fail from time to time. These failures often either lead to idle employees who cannot perform their work or even worse, the turning away of revenue generating customers from certain functions on your site. There’s no way around it – if you put a firewall in the way of a transaction sooner or later it will cause a problem. Sometimes this is both acceptable and advisable, such as the additional protection that a firewall provides a database that stores PII information such as credit cards. Other times, it is just an unfortunate cost and burden such as when firewalls are used to protect static image servers that have very little valuable information on them and which are of little interest to money-focused bad guys. And finally they can really harm employee productivity by stalling business initiatives. It’s not unusual to spend thousands of dollars of labor several times a year troubleshooting why a new service won’t work or an why an old service quit working before identifying that a port in a firewall needs to be opened or was recently closed.
Security Teams as Contributors – Not Decision Makers
Your security team very likely has a lofty and aggressive goal – to keep your company, your systems and your data (or your customer’s data) free from being abused by bad guys. This goal doesn’t come cheaply and the only way to guarantee it is attained is to either go out of business or spend so much on your risk adjustment initiatives that you will never make a profit.
The security team rarely has the business background and overall business context to make business tradeoffs when it comes to risk. While they may in fact have a number of people with advanced business degrees, their focus on reducing risk means that they are not focused on maximizing profits within the context of all of the available business levers. And you may not want them to have such a broad business focus as some practitioners argue that you want your risk team focused singularly on the available risk options rather than making the risk tradeoff decisions. The bottom line here is that the team should be involved in the decision process, but they are not necessarily the best decision makers for your risk management options.
Treat your security and risk initiatives as you would your personal property and valuables. Lock up and keep out of sight those things of significant value, but retain enough flexibility to allow you and your team to do your jobs quickly. You probably don’t put deadlocks on every bedroom in your house as it just doesn’t make sense and you probably don’t need to put firewalls on every LAN segment in your network for the same reason. Add passive detection advices such as intrusion detection systems to increase your level of security.
We covered four failures in corporate information security:
1) Fear rather than Risk and Profit driving decisions
2) Teams not understanding financial drivers of the “enemy”
3) Overemphasis on Firewalls
4) Security decisions made by the wrong team
By understanding what motivates your enemy, approaching security with risk and profit rather than fear as a driver, acting sensibly when it comes to risk mitigation and making risk decisions at the appropriate level you can both decrease risk and increase profitability.